Credential Cache for multiple client principal names

Rick van Rein rick at
Wed Jun 29 12:05:30 EDT 2016


Thanks Simo!
> DIR or KEYRING should be equivalent for your purpose, they are both
> cache collections.

Good, I seem to be onto something then :)
>> Can you help me, or perhaps show me some examples that do this?
> Have you looked in kinit/kvno/gssapi code ?

Thanks!  I found that kinit has another instrument, where it has one
cache, but supportive of krb5_cc_support_switch() so I could use
krb5_cc_cache_match() instead of the iteration over a cache collection,
and krb5_cc_new_unique() to add a new identity.

The kinit approach sounds lighter-weight, though I'm not yet clear if it
will let me work on any but the current cache, which could be
problematic since my TLS Pool is multi-threaded, to handle multiple TLS
connections for multiple users.

Any hints on that are welcome of course :)
> If you set up two realms in two separate DNS domains and then kinit to
> two different principals, you can see how kvno or any gssapi application
> will work to store tickets in the caches to access services in the two
> realms.

Hmm, I tried that with kinit and it was confusing me -- but that might
be because its sole purpose is to initiate a cache.  I will try kvno as
well then, good hint :)

Best wishes,

More information about the krbdev mailing list