Credential cache searching, ccapi and file caches
meeroh at meeroh.org
Tue Jul 13 17:16:08 EDT 2004
> I'd like to start with a brief summary of how CCAPI works now to
> confirm my understanding and to bring people not familiar with CCAPI
> up to speed. A CCAPI cache collection is a set of caches that live in
> one cache server process. Caches contain a set of credentials for
> both v4 and v5 and associated with the credentials is a principal.
> That is, all tickets in a single ccapi cache are expected to have the
> same client principal. For the most part there is at most one cache
> with a particular client principal at any given time.
Keeping in mind that my knowledge is out of date, this is not true.
CCAPI does not require that there be any association between
credentials in one cache and a particular principal. However, the way
that CCAPI is used on Mac OS (and presumably now other platforms) is
that the GUI tools, by means of KLL, create a new ccache when the user
obtains a new TGT that is not a cross-realm TGT (IIRC). Because of the
fact that we forced everyone to go through KLL, you can discover "the"
principal of a ccache by looking for the first TGT in a ccache. I am
sure that if you make the change in how KLL uses CCAPI to actually put
multiple principals in a ccache you will discover some client code that
relied on that, but I would consider such reliance a bug in the client
This change does have significant impact on the user experience, of
course, but your email basically says that it's the user experience you
are trying to change, so I assume you have thought through those
<http://web.meeroh.org/> | KB1FMP
"And when I have understanding of computers, I shall be
the supreme being!" -- Evil, "Time Bandits"
More information about the krbdev