Florence has hit the nail on the head. The env variable KRB5CCNAME seems to take precedence over settings in /etc/krb5.conf
I can switch my user between credential cache types as follows: KRB5CCNAME=KEYRING:persistent:664600003 kinit klist Ticket cache: KEYRING:persistent:664600003:664600003 KRB5CCNAME="FILE:/tmp/krb5cc_664600003" kinit klist Ticket cache: FILE:/tmp/krb5cc_664600003 Cheers Chris From: Christopher Lamb <[email protected]> Date: Tuesday, 3 March 2026 at 14:12 To: Florence Blanc-Renaud <[email protected]>, FreeIPA users list <[email protected]> Cc: Alexander Bokovoy <[email protected]> Subject: Re: [EXTERNAL] Re: [Freeipa-users] Re: How to change credential cache type for FreeIPA user Hi Florence In the “good” VM: klist Ticket cache: FILE:/tmp/krb5cc_664600003 Default principal: [email protected] echo $KRB5CCNAME FILE:/tmp/krb5cc_664600003 In the “bad" VM: klist Ticket cache: KEYRING:persistent:710000003:krb_ccache_0HX8sMH Default principal: [email protected] echo $KRB5CCNAME KEYRING:persistent:710000003 Mfg Chris From: Florence Blanc-Renaud <[email protected]> Date: Tuesday, 3 March 2026 at 14:02 To: FreeIPA users list <[email protected]> Cc: Alexander Bokovoy <[email protected]>, Christopher Lamb <[email protected]> Subject: [EXTERNAL] Re: [Freeipa-users] Re: How to change credential cache type for FreeIPA user This Message Is From an External Sender This message came from outside your organization. Report Suspicious<https://us-phishalarm-ewt.proofpoint.com/EWT/v1/AdhS1Rd-!-XFVHHj82O-UvNu3Ti-qvmVYnoW0GsGWGzBTaUjmRLL09Mt_Yb3dRf66AgeJ5eXqd7uE0TQOVQPXOrswVq0s6ZbN3coj8whpKAFA3WN3KGkPI3dkb_dY6LwKWrMW_QLXkA$> Hi, do you have the env variable KRB5CCNAME set? On Tue, Mar 3, 2026 at 9:26 AM Christopher Lamb via FreeIPA-users <[email protected]<mailto:[email protected]>> wrote: Hi Based on the 3 Fedora + FreeIPA Server instances I have setup over the past few day, it seems that rebooting the system between configuring for credential cache type FILE and creating the user(s) with ipa user-add is important. As you say, it seems like something is caching the setting. If I get time I will create a 4th VM without the reboot to confirm this. For the moment I have a Fedora VM with a credential cache of type FILE that the Java GSS code can access. Cheers Chris From: Alexander Bokovoy <[email protected]<mailto:[email protected]>> Date: Monday, 2 March 2026 at 16:59 To: Christopher Lamb <[email protected]<mailto:[email protected]>> Cc: FreeIPA users list <[email protected]<mailto:[email protected]>> Subject: [EXTERNAL] Re: [Freeipa-users] Re: How to change credential cache type for FreeIPA user On Пан, 02 сак 2026, Christopher Lamb wrote: >Hi Alexander > >I have now setup a second Fedora 43 Virtual Machine, and I now get credential >cache of type FILE, as I did early this afternoon with Fedora 38. > >After the ipaserver-install : > > > 1. >I configured /etc/krbr5.conf with "default_ccache_name = >FILE:/tmp/krb5cc_%{uid}" > 2. >In /etc/krb5.conf.d/kcm_default_ccache disabled KCM: #default_ccache_name = >KCM: > >So far this was the “same procedure as every year”. > >Then unlike my first Fedora 43 install, I rebooted. Only after the reboot did >I create the user “lamb” with "ipa user-add" > >When I log on with user lamb, klist shows > >Ticket cache: FILE:/tmp/krb5cc_664600003 >Default principal: [email protected]<mailto:[email protected]> Ok. I wonder if there is something that caches these settings on the previous system. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland -- _______________________________________________ FreeIPA-users mailing list -- [email protected]<mailto:[email protected]> To unsubscribe send an email to [email protected]<mailto:[email protected]> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/<https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.org_en-2DUS_project_code-2Dof-2Dconduct_&d=DwMFaQ&c=BSDicqBQBDjDI9RkVyTcHQ&r=KNS0slNKAgIJk6BMgbj-pIihbfGqEcYQpISvGK0O_QI&m=N96v1Fyc5G1zSdrfB7KKmapCOje5FZQIlfTO2MB40GvTykyDdXjBnhsSTHqs5Ot6&s=6qRdbXsbYcodPc0HUDcTypQJC7xx66YL-4ypMfEqj38&e=> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines<https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wiki_Mailing-5Flist-5Fguidelines&d=DwMFaQ&c=BSDicqBQBDjDI9RkVyTcHQ&r=KNS0slNKAgIJk6BMgbj-pIihbfGqEcYQpISvGK0O_QI&m=N96v1Fyc5G1zSdrfB7KKmapCOje5FZQIlfTO2MB40GvTykyDdXjBnhsSTHqs5Ot6&s=L7KAgBGoqrIZguElC7paS67fvDFR73cyx-uOA9whn4k&e=> List Archives: https://lists.fedorahosted.org/archives/list/[email protected]<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.org_archives_list_freeipa-2Dusers-40lists.fedorahosted.org&d=DwMFaQ&c=BSDicqBQBDjDI9RkVyTcHQ&r=KNS0slNKAgIJk6BMgbj-pIihbfGqEcYQpISvGK0O_QI&m=N96v1Fyc5G1zSdrfB7KKmapCOje5FZQIlfTO2MB40GvTykyDdXjBnhsSTHqs5Ot6&s=PiOks7RuJvvIdHjoIwiDMRGRIRxzbibjtBbuDY2HdxQ&e=> Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new<https://urldefense.proofpoint.com/v2/url?u=https-3A__forge.fedoraproject.org_infra_tickets_issues_new&d=DwMFaQ&c=BSDicqBQBDjDI9RkVyTcHQ&r=KNS0slNKAgIJk6BMgbj-pIihbfGqEcYQpISvGK0O_QI&m=N96v1Fyc5G1zSdrfB7KKmapCOje5FZQIlfTO2MB40GvTykyDdXjBnhsSTHqs5Ot6&s=YAuyfRpnx8cAKbw9DtOgfBqpykg0y57T7h88YE2EIGY&e=>
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
