Kerberos ccapi: Problem with set_principal on Mac OS 10.5 (Bug ID 5495264)

Alexandra Ellwood lxs at MIT.EDU
Thu Sep 27 01:27:08 EDT 2007

This issue is being tracked by Radar #5495264 (the bug you filed) and  
RT #5771 in the MIT Kerberos bug tracking database.

Heimdal should probably be using cc_context_create_ccache() to  
implement krb5_cc_initialize().

On Sep 26, 2007, at 6:17 PM, John Bowers wrote:

> Do you have any information on where this issue is being tracked?   
> Is it
> considered an Apple issue (and are they tracking it somewhere) or  
> is it
> an MIT issue and are you tracking it in your bug database.   
> Basically I
> just want to be able to keep up with progress on the issue.
> As for why I would use the CCAPI....
> Well strictly speaking it isn't me who is using the API.  I am using
> Hiemdal, and the example code I gave is sort of a cut and paste job  
> from
> the Heimdal source.
> Since Hiemdal must implement the krb5 APIs you speak of, you can  
> see why
> the CCAPIs would be used.
> I was using the krb5 APIs, but since I had the source to the APIs I  
> was
> able to track down the issue to CCAPI problem and cobble together the
> example code.  The test code is probably more complex than  
> necessary to
> demonstrate the problem, which may have contributed to your curiosity
> about why I was using the APIs.
> The Heimdal implementation of krb5_cc_initialize() calls the ccapi
> set_principal() function.   I could see this as being a rather large
> problem for users of Heimdal if the issue doesn't get fixed.
> -----Original Message-----
> From: Alexandra Ellwood [mailto:lxs at MIT.EDU]
> Sent: Wednesday, September 26, 2007 3:59 PM
> To: John Bowers
> Cc: krbdev at
> Subject: Re: Kerberos ccapi: Problem with set_principal on Mac OS 10.5
> (Bug ID 5495264)
> Hi, this is a known bug in current Leopard seed builds.  MIT is
> working with Apple to resolve this issue.
> However, I am curious why you are using the CCAPI at all.  The CCAPI
> is a very low level API and usage of it prevents the user from
> choosing to use FILE-based ccaches as their default ccache.
> Unless you need to iterate over the credentials caches in the cache
> collection, I would highly recommend switching to using
> krb5_cc_default() to obtain the default ccache and then using
> krb5_cc_initialize() to empty it and set the principal.  This is
> equivalent to the code in your example program and much simpler and
> easier to read.  Avoid calling krb5_cc_set_principal() directly since
> it makes a direct call to the buggy cc_ccache_set_principal() call.
> If you need to use the CCAPI you can also call
> cc_context_create_default_ccache() which has the same effect as
> krb5_cc_initialize() (empties the cache of credentials and resets the
> principal).  This will also allow you to avoid calling
> cc_ccache_set_principal().
> On Sep 26, 2007, at 5:16 PM, John Bowers wrote:
>> Hello,
>> I am having problems with the CCAPI implementation on the MacOS
>> 10.5 seed builds.  I have submitted a bug report to apple regarding
>> this issue and they have suggested I mail this list.
>> The problem I have is simply demonstrated.  Once I open the default
>> ccache, I cannot call set_principal on the ccache without getting
>> error 227 (internal error?).
>> I have created a small .c file that, when compiled and run,
>> demonstrates the issue.
>> The problem does not occur on MacOS 10.4, it does occur with at
>> least the 2 most recent 10.5 builds.
>> Find the example code attached.
>> Build This with a command like this:
>> gcc -g3 ./test_api_ccache.c -o ccache_test -I /System/Library/
>> Frameworks/Kerberos.framework/Headers -framework Kerberos
>> -----Original Message-----
>> From: Apple Developer Bug Reporting [mailto:devbugs at]
>> Sent: Wednesday, September 26, 2007 2:55 PM
>> To: John Bowers
>> Subject: Bug ID 5495264: Your Attention Needed
>> Hi John,
>> This is a courtesy email regarding Bug ID# 5495264.
>> The Kerberos developers at MIT suggested that they could help
>> diagnose this problem if they can communicate with you via the krbdev
>> mailing list.  To talk to them, please send an email about the
>> problem you're seeing to krbdev at, referencing Bug ID#5495264.
>> The info page for the mailing list is at
>> mailman/listinfo/krbdev .
>> Bug reports requiring your update will appear under 'My Originated
>> Problems'.  Please review this bug report and provide the requested
>> information via the Apple Bug Reporter. Once your report has been
>> updated, Engineering will be alerted of the new information.
>> <>
>> Thank you for your assistance in helping us discover and isolate bugs
>> within our products.
>> Best Regards,
>> Allison Vanderby
>> Apple Developer Connection
>> Worldwide Developer Relations
>> <test_api_ccache.c>
>> _______________________________________________
>> krbdev mailing list             krbdev at
> --lxs
> Alexandra Ellwood <lxs at>
> MIT Kerberos Development Team
> <>


Alexandra Ellwood <lxs at>
MIT Kerberos Development Team

More information about the krbdev mailing list