Service Ticket Questions

Henry B. Hotz hotz at
Wed Mar 15 18:49:50 EST 2006

On Mar 15, 2006, at 9:04 AM, krbdev-request at wrote:
> Date: Wed, 15 Mar 2006 11:12:43 -0500
> From: Ken Hornstein <kenh at>
> Subject: Re: Service Ticket Questions
> To: krbdev at
> Message-ID: <200603151612.k2FGCg8n003011 at>
>>>> You could also just never store the service ticket into the ccache.
>>> You know, I looked at that ... and maybe I missed it, but I couldn't
>>> see how to do that with the "public" API.
>> Create and use a memory ccache.  If you like the results, copy the
>> credentials you are interested in into the "real" ccache.
> That _was_ one of my original suggestions.  It will just involve a  
> lot of
> messing around if you want to handle all of the corner cases (e.g.,
> if you're doing cross-realm, do you copy in all of the cross-realm
> TGTs?  What if it fails?).  Maybe that isn't really an issue for
> this application.
> --Ken

I don't think the "messing around" is an issue.  I'm worried about a  
failure for a specific service, so I don't care about cleaning up  
tgt's.  In fact I'd specifically want to leave them around, because  
other services might need them.  Just want something that will work  
today (MacOS 10.3 through Leopard).

Is it as simple as this (Sam's suggestion)?

/* krb5_get_init_creds_password already done. */

krb5_get_credentials(ctx, x, ccache, x, &creds);

/* Do other stuff. */

if (other stuff worked)
	krb5_cc_store_cred(ctx, ccache, &creds)

Presuming this is right, the next question is if I can do all the  
"other stuff" without having the creds in a ccache.  If not, then  
what calls do I use to copy ccache entries (Ken's suggestion)?

I'm reading this thread from the digest, so excuse the delay in  
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at, or hbhotz at

More information about the krbdev mailing list