get_cred starting realm

Greg Hudson ghudson at
Wed Apr 29 10:07:59 EDT 2015

I want to talk about possible designs to solve a problem Nico has

krb5_get_credentials() assumes that cross-realm TGS requests should
begin with the local TGT principal of the client realm.  This assumption
has worked for a long time, but there are two edge cases where it
doesn't: fully-anonymous tickets where the client realm is
WELLKNOWN:ANONYMOUS, and delegated local TGTs for foreign realms.  I
don't remember where we have talked about the second case, so it may be
easier to just think about the first case.

It's clear that the solution to this problem involves changing
get_creds, but beyond that there are several choices:

1. We can decide that the creator of a new ccache is responsible for
knowing when it is creating one of these edge cases, and signalling that
by setting a cache config variable indicating the starting realm.
get_creds can check this variable and uses it in preference to the
client realm.

2. get_creds can iterate through the ccache and use the first local TGT
it finds, perhaps after looking up the client realm TGT.  This could
yield non-deterministic behavior if the ccache type doesn't preserve
order, in the rare case where the cache contains multiple local TGT
creds.  It could also become a performance limiter.

3. We can decide that the ccache layer is responsible for knowing the
starting TGT somehow and making that information available to get_creds.

Nico's approach in Heimdal falls in the third category, with these
specifics: if you initialize a ccache handle and then
krb5_cc_store_cred() a credential for a local TGT, the generic ccache
layer recognizes this and sets a start_realm config variable for the TGT
realm.  get_creds checks this variable as in (1).  The implementation,
minus some later bugfixes, is at:

I am wary of putting this kind of magic into the generic ccache
store_creds() dispatch.  I had been assuming that the best solution
would be in the first category, but perhaps it is unreasonable to ask
ccache creators to do more than store a TGT.  What do other people

More information about the krbdev mailing list