Kerberos ccapi: Problem with set_principal on Mac OS 10.5 (Bug ID 5495264)
John.Bowers at quest.com
Wed Sep 26 18:17:23 EDT 2007
Do you have any information on where this issue is being tracked? Is it
considered an Apple issue (and are they tracking it somewhere) or is it
an MIT issue and are you tracking it in your bug database. Basically I
just want to be able to keep up with progress on the issue.
As for why I would use the CCAPI....
Well strictly speaking it isn't me who is using the API. I am using
Hiemdal, and the example code I gave is sort of a cut and paste job from
the Heimdal source.
Since Hiemdal must implement the krb5 APIs you speak of, you can see why
the CCAPIs would be used.
I was using the krb5 APIs, but since I had the source to the APIs I was
able to track down the issue to CCAPI problem and cobble together the
example code. The test code is probably more complex than necessary to
demonstrate the problem, which may have contributed to your curiosity
about why I was using the APIs.
The Heimdal implementation of krb5_cc_initialize() calls the ccapi
set_principal() function. I could see this as being a rather large
problem for users of Heimdal if the issue doesn't get fixed.
From: Alexandra Ellwood [mailto:lxs at MIT.EDU]
Sent: Wednesday, September 26, 2007 3:59 PM
To: John Bowers
Cc: krbdev at mit.edu
Subject: Re: Kerberos ccapi: Problem with set_principal on Mac OS 10.5
(Bug ID 5495264)
Hi, this is a known bug in current Leopard seed builds. MIT is
working with Apple to resolve this issue.
However, I am curious why you are using the CCAPI at all. The CCAPI
is a very low level API and usage of it prevents the user from
choosing to use FILE-based ccaches as their default ccache.
Unless you need to iterate over the credentials caches in the cache
collection, I would highly recommend switching to using
krb5_cc_default() to obtain the default ccache and then using
krb5_cc_initialize() to empty it and set the principal. This is
equivalent to the code in your example program and much simpler and
easier to read. Avoid calling krb5_cc_set_principal() directly since
it makes a direct call to the buggy cc_ccache_set_principal() call.
If you need to use the CCAPI you can also call
cc_context_create_default_ccache() which has the same effect as
krb5_cc_initialize() (empties the cache of credentials and resets the
principal). This will also allow you to avoid calling
On Sep 26, 2007, at 5:16 PM, John Bowers wrote:
> I am having problems with the CCAPI implementation on the MacOS
> 10.5 seed builds. I have submitted a bug report to apple regarding
> this issue and they have suggested I mail this list.
> The problem I have is simply demonstrated. Once I open the default
> ccache, I cannot call set_principal on the ccache without getting
> error 227 (internal error?).
> I have created a small .c file that, when compiled and run,
> demonstrates the issue.
> The problem does not occur on MacOS 10.4, it does occur with at
> least the 2 most recent 10.5 builds.
> Find the example code attached.
> Build This with a command like this:
> gcc -g3 ./test_api_ccache.c -o ccache_test -I /System/Library/
> Frameworks/Kerberos.framework/Headers -framework Kerberos
> -----Original Message-----
> From: Apple Developer Bug Reporting [mailto:devbugs at apple.com]
> Sent: Wednesday, September 26, 2007 2:55 PM
> To: John Bowers
> Subject: Bug ID 5495264: Your Attention Needed
> Hi John,
> This is a courtesy email regarding Bug ID# 5495264.
> The Kerberos developers at MIT suggested that they could help
> diagnose this problem if they can communicate with you via the krbdev
> mailing list. To talk to them, please send an email about the
> problem you're seeing to krbdev at mit.edu, referencing Bug ID#5495264.
> The info page for the mailing list is at https://mailman.mit.edu/
> mailman/listinfo/krbdev .
> Bug reports requiring your update will appear under 'My Originated
> Problems'. Please review this bug report and provide the requested
> information via the Apple Bug Reporter. Once your report has been
> updated, Engineering will be alerted of the new information.
> Thank you for your assistance in helping us discover and isolate bugs
> within our products.
> Best Regards,
> Allison Vanderby
> Apple Developer Connection
> Worldwide Developer Relations
> krbdev mailing list krbdev at mit.edu
Alexandra Ellwood <lxs at mit.edu>
MIT Kerberos Development Team
More information about the krbdev