Kerberos ccapi: Problem with set_principal on Mac OS 10.5 (Bug ID 5495264)

John Bowers John.Bowers at
Wed Sep 26 18:17:23 EDT 2007

Do you have any information on where this issue is being tracked?  Is it
considered an Apple issue (and are they tracking it somewhere) or is it
an MIT issue and are you tracking it in your bug database.  Basically I
just want to be able to keep up with progress on the issue.

As for why I would use the CCAPI....

Well strictly speaking it isn't me who is using the API.  I am using
Hiemdal, and the example code I gave is sort of a cut and paste job from
the Heimdal source.

Since Hiemdal must implement the krb5 APIs you speak of, you can see why
the CCAPIs would be used.  

I was using the krb5 APIs, but since I had the source to the APIs I was
able to track down the issue to CCAPI problem and cobble together the
example code.  The test code is probably more complex than necessary to
demonstrate the problem, which may have contributed to your curiosity
about why I was using the APIs.

The Heimdal implementation of krb5_cc_initialize() calls the ccapi
set_principal() function.   I could see this as being a rather large
problem for users of Heimdal if the issue doesn't get fixed.

-----Original Message-----
From: Alexandra Ellwood [mailto:lxs at MIT.EDU] 
Sent: Wednesday, September 26, 2007 3:59 PM
To: John Bowers
Cc: krbdev at
Subject: Re: Kerberos ccapi: Problem with set_principal on Mac OS 10.5
(Bug ID 5495264)

Hi, this is a known bug in current Leopard seed builds.  MIT is  
working with Apple to resolve this issue.

However, I am curious why you are using the CCAPI at all.  The CCAPI  
is a very low level API and usage of it prevents the user from  
choosing to use FILE-based ccaches as their default ccache.

Unless you need to iterate over the credentials caches in the cache  
collection, I would highly recommend switching to using  
krb5_cc_default() to obtain the default ccache and then using  
krb5_cc_initialize() to empty it and set the principal.  This is  
equivalent to the code in your example program and much simpler and  
easier to read.  Avoid calling krb5_cc_set_principal() directly since  
it makes a direct call to the buggy cc_ccache_set_principal() call.

If you need to use the CCAPI you can also call  
cc_context_create_default_ccache() which has the same effect as  
krb5_cc_initialize() (empties the cache of credentials and resets the  
principal).  This will also allow you to avoid calling  

On Sep 26, 2007, at 5:16 PM, John Bowers wrote:

> Hello,
> I am having problems with the CCAPI implementation on the MacOS  
> 10.5 seed builds.  I have submitted a bug report to apple regarding  
> this issue and they have suggested I mail this list.
> The problem I have is simply demonstrated.  Once I open the default  
> ccache, I cannot call set_principal on the ccache without getting  
> error 227 (internal error?).
> I have created a small .c file that, when compiled and run,  
> demonstrates the issue.
> The problem does not occur on MacOS 10.4, it does occur with at  
> least the 2 most recent 10.5 builds.
> Find the example code attached.
> Build This with a command like this:
> gcc -g3 ./test_api_ccache.c -o ccache_test -I /System/Library/ 
> Frameworks/Kerberos.framework/Headers -framework Kerberos
> -----Original Message-----
> From: Apple Developer Bug Reporting [mailto:devbugs at]
> Sent: Wednesday, September 26, 2007 2:55 PM
> To: John Bowers
> Subject: Bug ID 5495264: Your Attention Needed
> Hi John,
> This is a courtesy email regarding Bug ID# 5495264.
> The Kerberos developers at MIT suggested that they could help
> diagnose this problem if they can communicate with you via the krbdev
> mailing list.  To talk to them, please send an email about the
> problem you're seeing to krbdev at, referencing Bug ID#5495264.
> The info page for the mailing list is at
> mailman/listinfo/krbdev .
> Bug reports requiring your update will appear under 'My Originated
> Problems'.  Please review this bug report and provide the requested
> information via the Apple Bug Reporter. Once your report has been
> updated, Engineering will be alerted of the new information.
> <>
> Thank you for your assistance in helping us discover and isolate bugs
> within our products.
> Best Regards,
> Allison Vanderby
> Apple Developer Connection
> Worldwide Developer Relations
> <test_api_ccache.c>
> _______________________________________________
> krbdev mailing list             krbdev at


Alexandra Ellwood <lxs at>
MIT Kerberos Development Team

More information about the krbdev mailing list