Please be aware that I’m using Redhat’s KCM implementation in sssd. It’s supposed to be compatible with Heimdal’s, but based on documentation it appears that it may not be.
The default value of KRB5CCNAME is simply KCM: It had better be user-specific, or everybody shares a collection. geneva:~/kerberos> klist -A Ticket cache: KCM:1000:737 Default principal: hedr...@cs.rutgers.edu<mailto:hedr...@cs.rutgers.edu> Valid starting Expires Service principal 07/22/2019 12:35:34 07/22/2019 20:33:37 krbtgt/cs.rutgers....@cs.rutgers.edu<mailto:krbtgt/cs.rutgers....@cs.rutgers.edu> renew until 07/16/2020 09:53:19 geneva:~/kerberos> setenv KRB5CCNAME KCM:1000 geneva:~/kerberos> klist klist: No credentials cache found geneva:~/kerberos> setenv KRB5CCNAME KCM: geneva:~/kerberos> klist Ticket cache: KCM:1000:737 Default principal: hedr...@cs.rutgers.edu<mailto:hedr...@cs.rutgers.edu> Valid starting Expires Service principal 07/22/2019 12:35:34 07/22/2019 20:33:37 krbtgt/cs.rutgers....@cs.rutgers.edu<mailto:krbtgt/cs.rutgers....@cs.rutgers.edu> renew until 07/16/2020 09:53:19 I don’t know how it’s implemented, but it behaves as if KCM:1000 is a specific cache, and only KCM: can access the whole collection. Note that root can’t read other user’s caches, so in a daemon I have to use setreuid to change to a user and then look at KCM: I get the same results on my Mac if I use a Macports port of MIT Kerberos. With the builtin utilies I can’t make KCM work at all. On Jul 22, 2019, at 1:00 PM, Greg Hudson <ghud...@mit.edu<mailto:ghud...@mit.edu>> wrote: The KCM daemon's namespace is machine-global, not uid-specific, and I don't think doing setruid() would be visible to the daemon anyway (it should see the euid of the client, not the ruid). ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
