Credential cache searching, ccapi and file caches

Miro Jurišić meeroh at
Tue Jul 13 17:16:08 EDT 2004

> I'd like to start with a brief summary of how CCAPI works now to
> confirm my understanding and to bring people not familiar with CCAPI
> up to speed.  A CCAPI cache collection is a set of caches that live in
> one cache server process.  Caches contain a set of credentials for
> both v4 and v5  and associated with the credentials is a principal.
> That is, all tickets in a single ccapi cache are expected to  have the
> same client principal.  For the most part there is at most one cache
> with a particular client principal at any given time.

Keeping in mind that my knowledge is out of date, this is not true. 
CCAPI does not require that there be any association between 
credentials in one cache and a particular principal. However, the way 
that CCAPI is used on Mac OS (and presumably now other platforms) is 
that the GUI tools, by means of KLL, create a new ccache when the user 
obtains a new TGT that is not a cross-realm TGT (IIRC). Because of the 
fact that we forced everyone to go through KLL, you can discover "the" 
principal of a ccache by looking for the first TGT in a ccache. I am 
sure that if you make the change in how KLL uses CCAPI to actually put 
multiple principals in a ccache you will discover some client code that 
relied on that, but I would consider such reliance a bug in the client 

This change does have significant impact on the user experience, of 
course, but your email basically says that it's the user experience you 
are trying to change, so I assume you have thought through those 



<> | KB1FMP

"And when I have understanding of computers, I shall be
         the supreme being!" -- Evil, "Time Bandits"

More information about the krbdev mailing list