[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: kinit and old credentials

"Howard Chu" <hyc@highlandsun.com> writes:

> I'm also surprised that it doesn't work with K5, since the K5 credential
> cache stored a principal name with each individual ticket. But then again,
> this is all from my (8 year old) memory of the MIT code, and I haven't looked
> at the Heimdal cred cache code. I know this whole issue was a problem for us
> when we wrote the combined K4/K5 Kclient module back at Platinum Technology;
> I solved it by hacking the K4 to behave like the K5 cache, all in a single
> shared memory region.

All format of the credential cache stores a `primary principal' in the
cache, and that principal is extracted with krb5_cc_get_principal().

However, this is redudant information, since all krb5_creds within the
credential cache have both the client and server principal stored within

So, the file technically support it. And the interface kind of supports it,
none of the applications uses it. I'm trying to not sound negative here,
just presenting the facts. I'm all for fixing this problem.

Example. I've got two tgt in my cache, one for lha@E.KTH.SE and
lha@NADA.KTH.SE, I ssh to shell.stacken.kth.se. What do I want to use ?
I guess the answer is the primary principal.

So, resetting the primary principal to a new principal is what you want ?

The krb5_cc_retrieve_cred documention is wage regarding how to treat the
mcreds->client field when requesting a cred.

Also, I'll need to check with the MIT people how they do this.