Kerberos ccapi: Problem with set_principal on Mac OS 10.5 (Bug ID 5495264)

Alexandra Ellwood lxs at MIT.EDU
Wed Sep 26 17:59:00 EDT 2007

Hi, this is a known bug in current Leopard seed builds.  MIT is  
working with Apple to resolve this issue.

However, I am curious why you are using the CCAPI at all.  The CCAPI  
is a very low level API and usage of it prevents the user from  
choosing to use FILE-based ccaches as their default ccache.

Unless you need to iterate over the credentials caches in the cache  
collection, I would highly recommend switching to using  
krb5_cc_default() to obtain the default ccache and then using  
krb5_cc_initialize() to empty it and set the principal.  This is  
equivalent to the code in your example program and much simpler and  
easier to read.  Avoid calling krb5_cc_set_principal() directly since  
it makes a direct call to the buggy cc_ccache_set_principal() call.

If you need to use the CCAPI you can also call  
cc_context_create_default_ccache() which has the same effect as  
krb5_cc_initialize() (empties the cache of credentials and resets the  
principal).  This will also allow you to avoid calling  

On Sep 26, 2007, at 5:16 PM, John Bowers wrote:

> Hello,
> I am having problems with the CCAPI implementation on the MacOS  
> 10.5 seed builds.  I have submitted a bug report to apple regarding  
> this issue and they have suggested I mail this list.
> The problem I have is simply demonstrated.  Once I open the default  
> ccache, I cannot call set_principal on the ccache without getting  
> error 227 (internal error?).
> I have created a small .c file that, when compiled and run,  
> demonstrates the issue.
> The problem does not occur on MacOS 10.4, it does occur with at  
> least the 2 most recent 10.5 builds.
> Find the example code attached.
> Build This with a command like this:
> gcc -g3 ./test_api_ccache.c -o ccache_test -I /System/Library/ 
> Frameworks/Kerberos.framework/Headers -framework Kerberos
> -----Original Message-----
> From: Apple Developer Bug Reporting [mailto:devbugs at]
> Sent: Wednesday, September 26, 2007 2:55 PM
> To: John Bowers
> Subject: Bug ID 5495264: Your Attention Needed
> Hi John,
> This is a courtesy email regarding Bug ID# 5495264.
> The Kerberos developers at MIT suggested that they could help
> diagnose this problem if they can communicate with you via the krbdev
> mailing list.  To talk to them, please send an email about the
> problem you're seeing to krbdev at, referencing Bug ID#5495264.
> The info page for the mailing list is at
> mailman/listinfo/krbdev .
> Bug reports requiring your update will appear under 'My Originated
> Problems'.  Please review this bug report and provide the requested
> information via the Apple Bug Reporter. Once your report has been
> updated, Engineering will be alerted of the new information.
> <>
> Thank you for your assistance in helping us discover and isolate bugs
> within our products.
> Best Regards,
> Allison Vanderby
> Apple Developer Connection
> Worldwide Developer Relations
> <test_api_ccache.c>
> _______________________________________________
> krbdev mailing list             krbdev at


Alexandra Ellwood <lxs at>
MIT Kerberos Development Team

More information about the krbdev mailing list