I think keytabs should behaive like cred caches and the api should be "same". thus there should be a krb5_kt_gen_unique, krb5_kt_resolve krb5_close and krb5_kt_destroy with the same semantics as the krb5_cc equvialent. Thus, any consumers of the heimdal memory cache keytab will simply have to change. Love