Hello, There is a bug report (https://github.com/heimdal/heimdal/issues/355) saying that using FILE: credential cache designator does not work. Interestingly enough, it works for me (FreeBSD 11.1, heimdal 7.5.0 from FreeBSD ports).
Trying to use other cache types causes strange errors though: With /home/saper/.krb5cc directory existing an attempt to set in /etc/krb5.conf [libdefaults] default_cc_name = DIR:/home/saper/.krb5cc cauces kinit crash because we explicitly pass NULL to dcc_resolve() in dcache.c:362: % gdb /usr/local/bin/kinit GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "amd64-marcel-freebsd"... (gdb) run Starting program: /usr/local/bin/kinit Program received signal SIGSEGV, Segmentation fault. dcc_resolve (context=0x803846000, id=0x0, res=0x803835020 "/home/saper/.krb5cc") at dcache.c:362 362 (*id)->data.data = dc; Current language: auto; currently minimal (gdb) bt #0 dcc_resolve (context=0x803846000, id=0x0, res=0x803835020 "/home/saper/.krb5cc") at dcache.c:362 #1 0x0000000800ee9d0d in dcc_get_cache_first (context=0x803846000, cursor=0x8038421f8) at dcache.c:568 #2 0x0000000800ed4799 in krb5_cc_cache_get_first (context=0x803846000, type=0x800f3f4e4 "DIR", cursor=0x8038421d8) at cache.c:1145 #3 0x0000000800ed4c42 in krb5_cccol_cursor_next (context=0x803846000, cursor=0x8038421d0, cache=0x7fffffffe1f8) at cache.c:1532 #4 0x0000000800ed48f0 in krb5_cc_cache_match (context=0x803846000, client=0x8038353a0, id=0x7fffffffe3c8) at cache.c:1227 #5 0x0000000000403cc1 in main (argc=0, argv=0x7fffffffe870) at kinit.c:1315 Looking at the code it seems to me that "DIR" ccache type is simply not implemented. With default_cc_name = SCC:/home/saper/krb5cc.sqlite it is even more intersting. kinit seems to ignore the file part and always creates SCC:/tmp/krb5scc_%{uid}: % ls -l /tmp/krb5scc_169 -rw------- 1 saper wheel 20480 22 lut 22:32 /tmp/krb5scc_169 saper@poniatowski:~ % sqlite3 /tmp/krb5scc_169 SQLite version 3.21.0 2017-10-24 18:55:49 Enter ".help" for usage hints. sqlite> .schema CREATE TABLE master (oid INTEGER PRIMARY KEY,version INTEGER NOT NULL,defaultcache TEXT NOT NULL); CREATE TABLE caches (oid INTEGER PRIMARY KEY,principal TEXT,name TEXT NOT NULL); CREATE TABLE credentials (oid INTEGER PRIMARY KEY,cid INTEGER NOT NULL,kvno INTEGER NOT NULL,etype INTEGER NOT NULL,created_at INTEGER NOT NULL,cred BLOB NOT NULL); CREATE TABLE principals (oid INTEGER PRIMARY KEY,principal TEXT NOT NULL,type INTEGER NOT NULL,credential_id INTEGER NOT NULL); CREATE TRIGGER CacheDropCreds AFTER DELETE ON caches FOR EACH ROW BEGIN DELETE FROM credentials WHERE cid=old.oid;END; CREATE TRIGGER credDropPrincipal AFTER DELETE ON credentials FOR EACH ROW BEGIN DELETE FROM principals WHERE credential_id=old.oid;END; but "klist" is not so smart: % /usr/local/bin/klist klist: krb5_cc_get_principal: No principal for cache SCC:/home/saper/krb5cc.sqlite:/tmp/krb5scc_169 but klist -A seems to somehow work: % /usr/local/bin/klist -A Credentials cache: SCC:unique-0x803849000 Principal: sa...@mydomain.org Issued Expires Principal Feb 22 22:32:57 2018 Feb 23 22:32:57 2018 krbtgt/mydomain....@mydomain.org Some records seem to be written to /tmp/krb5cc_169 database, but kdestroy does not seem to remove them, though (it exists silently). I am looking for a possibility to store multiple tickets from many realms independently - I've been using DIR ccache with MIT Kerberos quite successfully. Is there any credential cache other than FILE working with Heimdal? FreeBSD-specific note: This is Heimdal 7.5.0 installed from ports, that's why /usr/local/bin/{kinit,kdestroy,list} commands are used; FreeBSD base comes with Heimdal 1.5.2, but port tools are properly linked with 7.5.0 libraries, so I don't think there's any hiccup here. % ldd /usr/local/bin/kinit /usr/local/bin/kinit: libkafs.so.0 => /usr/local/lib/heimdal/libkafs.so.0 (0x80082a000) libheimbase.so.1 => /usr/local/lib/heimdal/libheimbase.so.1 (0x800a34000) libhx509.so.5 => /usr/local/lib/heimdal/libhx509.so.5 (0x800c48000) libkrb5.so.26 => /usr/local/lib/heimdal/libkrb5.so.26 (0x800ea6000) libheimntlm.so.0 => /usr/local/lib/heimdal/libheimntlm.so.0 (0x80115e000) libwind.so.0 => /usr/local/lib/heimdal/libwind.so.0 (0x801369000) libhcrypto.so.4 => /usr/local/lib/heimdal/libhcrypto.so.4 (0x801592000) libasn1.so.8 => /usr/local/lib/heimdal/libasn1.so.8 (0x8017e2000) libcom_err.so.1 => /usr/local/lib/heimdal/libcom_err.so.1 (0x801ad4000) libroken.so.18 => /usr/local/lib/heimdal/libroken.so.18 (0x801cd9000) libsqlite3.so.0 => /usr/local/lib/libsqlite3.so.0 (0x801ef2000) libcrypto.so.8 => /lib/libcrypto.so.8 (0x802400000) libintl.so.8 => /usr/local/lib/libintl.so.8 (0x802869000) libcrypt.so.5 => /lib/libcrypt.so.5 (0x802a73000) libthr.so.3 => /lib/libthr.so.3 (0x802c92000) libc.so.7 => /lib/libc.so.7 (0x802eba000) libm.so.5 => /lib/libm.so.5 (0x803272000) Marcin
smime.p7s
Description: S/MIME Cryptographic Signature