Hello, There is a bug report (https://github.com/heimdal/heimdal/issues/355) saying that using FILE: credential cache designator does not work. Interestingly enough, it works for me (FreeBSD 11.1, heimdal 7.5.0 from FreeBSD ports).
Trying to use other cache types causes strange errors though:
With /home/saper/.krb5cc directory existing an attempt to set in /etc/krb5.conf
[libdefaults]
default_cc_name = DIR:/home/saper/.krb5cc
cauces kinit crash because we explicitly pass NULL to dcc_resolve() in
dcache.c:362:
% gdb /usr/local/bin/kinit
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "amd64-marcel-freebsd"...
(gdb) run
Starting program: /usr/local/bin/kinit
Program received signal SIGSEGV, Segmentation fault.
dcc_resolve (context=0x803846000, id=0x0, res=0x803835020 "/home/saper/.krb5cc")
at dcache.c:362
362 (*id)->data.data = dc;
Current language: auto; currently minimal
(gdb) bt
#0 dcc_resolve (context=0x803846000, id=0x0, res=0x803835020
"/home/saper/.krb5cc")
at dcache.c:362
#1 0x0000000800ee9d0d in dcc_get_cache_first (context=0x803846000,
cursor=0x8038421f8)
at dcache.c:568
#2 0x0000000800ed4799 in krb5_cc_cache_get_first (context=0x803846000,
type=0x800f3f4e4 "DIR", cursor=0x8038421d8) at cache.c:1145
#3 0x0000000800ed4c42 in krb5_cccol_cursor_next (context=0x803846000,
cursor=0x8038421d0, cache=0x7fffffffe1f8) at cache.c:1532
#4 0x0000000800ed48f0 in krb5_cc_cache_match (context=0x803846000,
client=0x8038353a0, id=0x7fffffffe3c8) at cache.c:1227
#5 0x0000000000403cc1 in main (argc=0, argv=0x7fffffffe870) at kinit.c:1315
Looking at the code it seems to me that "DIR" ccache type is simply not
implemented.
With
default_cc_name = SCC:/home/saper/krb5cc.sqlite
it is even more intersting.
kinit seems to ignore the file part and always creates SCC:/tmp/krb5scc_%{uid}:
% ls -l /tmp/krb5scc_169
-rw------- 1 saper wheel 20480 22 lut 22:32 /tmp/krb5scc_169
saper@poniatowski:~ % sqlite3 /tmp/krb5scc_169
SQLite version 3.21.0 2017-10-24 18:55:49
Enter ".help" for usage hints.
sqlite> .schema
CREATE TABLE master (oid INTEGER PRIMARY KEY,version INTEGER NOT
NULL,defaultcache TEXT NOT NULL);
CREATE TABLE caches (oid INTEGER PRIMARY KEY,principal TEXT,name TEXT NOT NULL);
CREATE TABLE credentials (oid INTEGER PRIMARY KEY,cid INTEGER NOT NULL,kvno
INTEGER NOT NULL,etype INTEGER NOT NULL,created_at INTEGER NOT NULL,cred BLOB
NOT NULL);
CREATE TABLE principals (oid INTEGER PRIMARY KEY,principal TEXT NOT NULL,type
INTEGER NOT NULL,credential_id INTEGER NOT NULL);
CREATE TRIGGER CacheDropCreds AFTER DELETE ON caches FOR EACH ROW BEGIN DELETE
FROM credentials WHERE cid=old.oid;END;
CREATE TRIGGER credDropPrincipal AFTER DELETE ON credentials FOR EACH ROW BEGIN
DELETE FROM principals WHERE credential_id=old.oid;END;
but "klist" is not so smart:
% /usr/local/bin/klist
klist: krb5_cc_get_principal: No principal for cache
SCC:/home/saper/krb5cc.sqlite:/tmp/krb5scc_169
but klist -A seems to somehow work:
% /usr/local/bin/klist -A
Credentials cache: SCC:unique-0x803849000
Principal: sa...@mydomain.org
Issued Expires Principal
Feb 22 22:32:57 2018 Feb 23 22:32:57 2018 krbtgt/mydomain....@mydomain.org
Some records seem to be written to /tmp/krb5cc_169 database, but
kdestroy does not seem to remove them, though (it exists silently).
I am looking for a possibility to store multiple tickets from many realms
independently -
I've been using DIR ccache with MIT Kerberos quite successfully.
Is there any credential cache other than FILE working with Heimdal?
FreeBSD-specific note:
This is Heimdal 7.5.0 installed from ports, that's why
/usr/local/bin/{kinit,kdestroy,list}
commands are used; FreeBSD base comes with Heimdal 1.5.2, but port tools are
properly linked
with 7.5.0 libraries, so I don't think there's any hiccup here.
% ldd /usr/local/bin/kinit
/usr/local/bin/kinit:
libkafs.so.0 => /usr/local/lib/heimdal/libkafs.so.0 (0x80082a000)
libheimbase.so.1 => /usr/local/lib/heimdal/libheimbase.so.1
(0x800a34000)
libhx509.so.5 => /usr/local/lib/heimdal/libhx509.so.5 (0x800c48000)
libkrb5.so.26 => /usr/local/lib/heimdal/libkrb5.so.26 (0x800ea6000)
libheimntlm.so.0 => /usr/local/lib/heimdal/libheimntlm.so.0
(0x80115e000)
libwind.so.0 => /usr/local/lib/heimdal/libwind.so.0 (0x801369000)
libhcrypto.so.4 => /usr/local/lib/heimdal/libhcrypto.so.4 (0x801592000)
libasn1.so.8 => /usr/local/lib/heimdal/libasn1.so.8 (0x8017e2000)
libcom_err.so.1 => /usr/local/lib/heimdal/libcom_err.so.1 (0x801ad4000)
libroken.so.18 => /usr/local/lib/heimdal/libroken.so.18 (0x801cd9000)
libsqlite3.so.0 => /usr/local/lib/libsqlite3.so.0 (0x801ef2000)
libcrypto.so.8 => /lib/libcrypto.so.8 (0x802400000)
libintl.so.8 => /usr/local/lib/libintl.so.8 (0x802869000)
libcrypt.so.5 => /lib/libcrypt.so.5 (0x802a73000)
libthr.so.3 => /lib/libthr.so.3 (0x802c92000)
libc.so.7 => /lib/libc.so.7 (0x802eba000)
libm.so.5 => /lib/libm.so.5 (0x803272000)
Marcin
smime.p7s
Description: S/MIME Cryptographic Signature
