get_cred starting realm

Nico Williams nico at
Thu Apr 30 16:45:17 EDT 2015

On Thu, Apr 30, 2015 at 03:23:03PM -0500, Nico Williams wrote:
> On Thu, Apr 30, 2015 at 03:40:40PM -0400, Greg Hudson wrote:
> > I think the two other viable options are:
> > 
> > 1. Make kinit -n and krb5_gss_accept_sec_context() responsible for
> > setting a start-realm config entry when the local TGT realm differs from
> > the client principal realm.  Basically, treat the edge cases as
> > exceptional and force them to be addressed at the highest possible layers.
> I'd live with this because it'd at least interop with Heimdal and could
> be implemented by other stacks that implement the FILE ccache format.
> But I won't contribute patches to implement (1) because I'd have to also
> submit patches for third-party applications like pam_krb5, and I'm not
> interested in boiling oceans in general.  See more below.

I misread Greg's (1) proposal.  It's fine and requires no changes to
existing applications not in-tree.  I'd still prefer always writing the
start-realm ccconfig because for FILE ccaches doing so means that it
will always be found quickly.


More information about the krbdev mailing list