Automatic Prompting for Tickets on Windows

Alexandra Ellwood lxs at MIT.EDU
Thu Jan 8 18:10:24 EST 2004

>  >>>>> "Kevin" == Kevin Coffman <kwc at> writes:
>     Kevin> Does setting the KRB5CCNAME environment variable provide
>     Kevin> *equivalent* funcionality to the use of this private
>     Kevin> function?
>No, it does not.  CCAPI makes the rather dubious decision of binding
>to a cache tightly the first time it is used.  This function tends to
>be used to change that binding.
>On a non-CCAPI platform such as Unix, this function does provide the
>same functionality.

Miro beat me to this, but here's the expanded explanation:

 From my understanding of the way krb5 and GSS currently interact, I 
believe that setting KRB5CCNAME between calls to 
gss_init_sec_context() in a single process will not change the ccache 
used by GSSAPI on any platform.

The krb5 library caches the default ccache name inside krb5_context 
structure when krb5_init_context() is called.  On CCAPI platforms, 
the context caches the value of KRB5CCNAME if it is set; otherwise it 
caches the CCAPI "system default ccache".  On other platforms, the 
context caches the value of KRB5CCNAME.  Once initialized, the 
krb5_context will use its own cached copy of the ccache name for all 
operations.  The only way to change it by calling 
krb5_cc_set_default_name() on the context.  Changing either 
KRB5CCNAME or the CCAPI "system default ccache" won't affect any 
existing contexts.

GSSAPI uses a library-global krb5_context which is initialized the 
first time the context is used.  As a result, GSSAPI binds to a 
ccache name on the first call to gss_init_sec_context() or 
gss_acquire_cred() and never refreshes the context's cached ccache 
name.  The only way to change the ccache name is to call 
gss_krb5_ccache_name() which calls krb5_cc_set_default_name() on the 
global krb5_context.

This bug will be fixed for all platforms in krb5-1.3.2.

In krb5-1.3.2 and later, gss_init_sec_context() will pick up changes 
to KRB5CCNAME and/or the CCAPI "system default ccache" *unless* the 
caller uses gss_krb5_ccache_name() to consciously override GSSAPI's 
default ccache.  We chose this behavior because it results in 
improved behavior for pure GSSAPI callers without interfering with 
the behavior of the gss_krb5_ccache_name() function.

If you can try out the latest 1.3.2 beta to verify this, that would 
be extremely helpful.

Hope this makes things clearer,

Alexandra Ellwood                                               <lxs at>
MIT Information Systems                     

More information about the krbdev mailing list