keberos/KL apis

[Prabhakaran vaidya]

Hi,

We are experiencing some strange behavior with kerberos/KL apis between 
Jaguar/Panther.
Here is the gist of the problem:

-- We need our kerberos enabled apps to run in Jaguar and Panther
-- We have to support multiple realms (dev/test/maint etc.)
-- We have to support multiple userids  logged in potentially under all 
the realms simultaneously
-- Our apps have to coexist in client machines where kerberos realms 
not known to us might be configured in edu/mit file
-- We use KL apis to get  login and get service tickets.

Ideally when our client app runs we would like to restrict the realm 
visibility to just the current realm
the app is configured for. In Panther it does not work nless we put all 
the realms in one file and change the
default realm. (first time a ticket is obtained for the dev realm, 
second time test realm is tried
and it gets unknown realm though the file is changed to reflect the new 
realm)
Also the KRB5_CONFIG variable does not take effect once the app is 
launched and first time
some KL apis are called.

In Jaguar the file seems to have been cached and not take effect unless 
we change the KRB5_CONFIG  env to
different file name. In Panther the file name has to be constant once 
the process is launched and does not take effect if we
change the KRB5_CONFIG env. Many failures can be seen only when we have 
the cache populated with various service tickets and TGTs
for different users/realms thus making the compatibility between Jaguar 
and Panther a nightmare. Fix for one OS the other will break !

How is default realm definition from edu mit file used ?
I am wondering if there is a reliable way I can programmatically set 
the realms (not depending on config files)
in Jaguar and Panther so that KL, gss, ccache apis all work predictably.

Any help will be appreciated.
Thanks
-prab