On 01/02/2015 05:35 PM, Markus Moeller wrote: > I lately changed from krb5 1.10 on OpenSuse 12.3 to krb5 1.12 on OpenSuse > 13.2 and wonder what is happening
The DIR ccache type was actually added in krb5 1.10, but presumably OpenSUSE 12.3 wasn't using it by default, and OpenSUSE 13.2 is. The basic expected behavior with the DIR ccache type is: * kinit with a new principal name adds to the collection rather than overwriting existing tickets. * klist -l lists the caches in the collection. klist -A lists credentials in all caches in the collection. * kswitch -p princname switches the primary cache. * kdestroy -A destroys all caches in the collection. kdestroy without the -A option destroys only the primary cache. * GSSAPI client applications typically use the primary cache, but can access other caches if they request a specific client principal, if configured to do so via the ~/.k5identity file, or based on the realm heuristic. I think your second invocation of socksify is choosing to use your SUSE.HOME credentials to access a service in the SUSE.HOME realm (the realm heuristic). If this behavior is undesirable, there are a few workarounds: * Run kdestroy before running kinit with the new principal, effectively disabling the collection behavior. * Configure ~/.k5identity to choose the principal you want, if you can define a fixed mapping from services to principals. See the k5identity(5) man page. * Point KRB5CCNAME at the subsidiary cache you want to use (e.g. DIR::/run/user/1000/krb5cc/tkt3a1A8Y). We would like this to be easily done via the kswitch command (e.g. "kswitch m...@win2003r2.home socksify ...") but we haven't implemented that yet. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
