Assuming that you want memory keytabs to be resolved using the normal mechanism, the approach you describe seems fine. Another approach is to have a krb5_kt_new_memory function that returns a handle to a new memory keytab which is destroyed on close. The Heimdal semantic doesn't seem all that bad to me. --Sam