Service Ticket Questions

Henry B. Hotz hotz at
Fri Mar 17 13:01:57 EST 2006

On Mar 17, 2006, at 9:01 AM, krbdev-request at wrote:

> Date: Thu, 16 Mar 2006 12:13:22 -0500
> From: Ken Hornstein <kenh at>
> Subject: Re: Service Ticket Questions
> To: "Henry B. Hotz" <hotz at>
> Cc: krbdev at
> Message-ID: <200603161713.k2GHDN7A029102 at>
>> Is it as simple as this (Sam's suggestion)?
>> /* krb5_get_init_creds_password already done. */
>> krb5_get_credentials(ctx, x, ccache, x, &creds);
>> /* Do other stuff. */
>> if (other stuff worked)
>> 	krb5_cc_store_cred(ctx, ccache, &creds)
> No.  krb5_get_credentials already stores the credentials in the cache
> for you (if you look at the aklog souce, for example, it never calls
> krb5_cc_store_cred()).  The "old" API had a function called
> krb5_get_cred_via_tkt() which doesn't take a ccache, but it's now
> marked under an #ifdef KRB5_PRIVATE, and I don't know if that  
> symbol is
> exported under MacOS X.  That was why I said, "I don't think you  
> can do
> it with the functions available in the public API".  (I am assuming
> that cred_via_tkt() did what you want, but maybe it didn't ... it  
> looks
> like get_cred_from_kdc() maybe is closer to what you really wanted --
> but it's also marked as private).

I think that's the same function I found.  It specifically does not  
check the cc for a pre-existing ticket before getting one.  OK, per  
se, but that raises the corner case where you do this twice and it  
fails the second time.  I think I'm back to needing a working remove  

>> Presuming this is right, the next question is if I can do all the
>> "other stuff" without having the creds in a ccache.  If not, then
>> what calls do I use to copy ccache entries (Ken's suggestion)?
> There is the function krb5_cc_copy_creds().  Actually, that should  
> make
> it really easy now that I think about it.  You can do this:
> 	create memory cache
> 	krb5_cc_copy_creds() from Mac cache into memory cache.
> 	get afs service ticket, try getting token
> 	if successful, clear mac cache (krb5_cc_initialize) and use
> 	krb5_cc_copy_creds() to copy everything back.

I thought that was Heimdal only, but I see it is there.  It's not in  
the same section of krb5.h as the other _cc_ functions.  Could also  
code it with the iteration functions, but. . .

As above, this takes care of conditionally adding the service ticket,  
but not removing a pre-existing one if necessary to maintain synch.   
UNLESS, you wipe out the original cc before copying back.  In that  
case you run the risk of causing other stuff to fail in the interim  
since there are no lock/wait functions.  Since this ought to be done  
as part of login, the probabilities of that seem high.

> Should be a small amount of code.

Even ignoring cross-realm tgt's I'm coming to the conclusion (as you  
said up front) that there are too many corner cases.  *sigh*

More information about the krbdev mailing list