krb5_gss_acquire_cred() vs multiple credential caches

Jeffrey Altman jaltman at
Mon Feb 12 11:31:25 EST 2007

Sam Hartman wrote:
> Why do you prompt the user if you have a live ccache with the
> requested credentials?
Because the application is not requesting credentials and the default
ccache is not the one that contains the credentials.
When gss_acquire_cred() is called with no desired name, we attempt to
use the credentials in the default ccache.  If there are no credentials
in the default ccache (which is associated with a particular Kerberos 5
principal) the user is prompted.  If as a result of the prompt the user
selects an identity for which there are credentials in another ccache,
we return that ccache to GSS-API. 

The problem was not what we were returning, but that the returned value
was being ignored because of the problems using getenv/putenv on Windows
across module boundaries.   getenv/putenv does not access the process
environment block but instead accesses an environment block allocated by
the C Runtime Library when that module's CRL instance was constructed.

The ccache name that is returned to GSS-API may not be the default
ccache and it would be inappropriate for the global ccache to be changed
to this ccache value if the user did not request it.  The solution is to
stop using getenv/putenv on Windows.  


There was also a secondary bug in the Leash routines that also
contributed to the multiple prompting.
In the Leash routines, GetEnvironmentVariable() is used.  The semantics
of this system call are weird.
GetEnvironmentVariable returns a non-zero value on success.  It returns
0 on failure or the length of the required buffer on failure. 
Therefore, after calling GetEnvironmentVariable() GetLastError() is
always called and the last error value is checked to determine if there
was in fact a failure.  The problem is that GetEnvironmentVariable()
does not set the GetLastError() value to STATUS_NO_ERROR when there is
no error.

In the Leash code, GetEnvironmentVariable() is called twice.  First for
"KERBEROSLOGIN_NEVER_PROMPT" to permit the process to prevent prompting
and then for "KRB5CCNAME" to see if there is a default ccache specified
for the process.   If the first variable did not exist GetLastError()
would return ERROR_ENVVAR_NOT_FOUND.  Then even if the KRB5CCNAME did
exist, GetLastError() would return ERROR_ENVVAR_NOT_FOUND.  The end
result is that the Leash code was looking at the wrong ccache, didn't
find credentials, and would prompt the user again.

This has now been fixed.  The user is only prompted.

Jeffrey Altman

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url :

More information about the krbdev mailing list