Credential Cache for multiple client principal names

Simo Sorce simo at
Wed Jun 29 10:31:50 EDT 2016

On Wed, 2016-06-29 at 16:15 +0200, Rick van Rein wrote:
> Hello,
> I'm trying to create [1] a mechanism to be used from multiple client
> principal names, each with their own service tickets.  Secure separation
> between the identities is not an issue.
> It is not clear to me how to do this.  I suspect I should use
> DIR:/var/mytool and perhaps KEYRING: on Linux, but it is not clear if
> I'm supposed to read and write tickets (including krbtgt) for various
> client principal names in the same cache, or that I should instead
> iterate it as a credential cache collection, and prod each credentials
> cache for the (default) client principal name and add a new one to the
> collection if I need it.

DIR or KEYRING should be equivalent for your purpose, they are both
cache collections.

> Can you help me, or perhaps show me some examples that do this?

Have you looked in kinit/kvno/gssapi code ?

If you set up two realms in two separate DNS domains and then kinit to
two different principals, you can see how kvno or any gssapi application
will work to store tickets in the caches to access services in the two

> Thanks,
>  -Rick
> [1] I'm working on a "TLS Pool" daemon [2] that takes TLS logic away
> from applications and that will incorporate a mode for Kerberos [3].
> [2]
> [3]

Simo Sorce * Red Hat, Inc * New York

More information about the krbdev mailing list