Not building kcpytkt/kdeltkt

Sam Hartman hartmans at
Thu Aug 5 11:59:02 EDT 2021

>>>>> "Ken" == Ken Hornstein <kenh at> writes:

    >>> But the fact that krb5_cc_remove_cred() is used by Samba
    >>> suggests to me that kdeltkt might be useful on other platforms,
    >>> especially if you're using a Windows DC?
    >> I don't think that follows.  krb5's API covers a much wider range
    >> of functionality than the CLI does.  There needs to be a stronger
    >> case than "might be useful" to ship something.

    Ken> I guess I was thinking of what I would call the next logical
    Ken> steps:

    Ken> - Samba has found it useful to be able to delete a specific
    Ken> service ticket from a credential cache when communicating with
    Ken> a Windows DC, to the point where the functionality was added to
    Ken> a number of credential caches.

    Ken> - People who are using MIT Kerberos directly with a Windows DC
    Ken> also might find it useful to delete a specific service ticket
    Ken> from a credential cache, for the same reasons that Samba finds
    Ken> it useful.

    Ken> If my logic is wrong or not compelling enough, fair enough.

I think the logic is fine.  But I'd like to see a couple more people
specifically desire the feature.

For your testing, kdeltkt is simple enough I think it's reasonable for
you to build it separately or to shim the API somehow in some other way.
But if a few more people want it, then it makes sense to me at least to
ship something.

More information about the krbdev mailing list