I'm using Kerberos for Windows 3.2.2 on Windows XP SP3 and noticed a problem using kinit/klist when multiple users ssh to the host.
If I ssh to the windows host as "userA", then run klist, I see the following: (as userA - krbcc32s NOT running) $ klist klist.exe: No credentials cache found (ticket cache API:krb5cc) That's as expected. And... looking at ProcessExplorer, the krbcc32s process is now running as "userA". Now, ssh as "userB" and run klist: (as userB - krbcc32s running as userA) $ klist klist.exe: Credentials cache I/O operation failed XXX while getting default ccache If I kill krbcc32s and redo the test, but login as "userB" first, I see just the reverse, ie: (as userB - krbcc32s NOT running) $ klist klist.exe: No credentials cache found (ticket cache API:krb5cc) (as userA - krbcc32s running as userB) $ klist klist.exe: Credentials cache I/O operation failed XXX while getting default ccache My first suspicion was the fact that the CC is the same for both users (API:krb5cc), but if I redo the above tests and set KRB5CCNAME to something unique for each user (eg. API:krb5cc_userA, API:krb5cc_userB) it fails the same way. If I use a unique "FILE:" credentials cache for each user (eg. FILE:C:/tmp/krb5cc_userA, FILE:C:/tmp/krb5cc_userB), then it seems to work, but krb5cc32s is running as the first user who started it, which bothers me. Soooo... 2 questions: 1) Is is not possible to use an API: credentials cache for more then one user? 2) Is it OK to use a FILE: credentials cache in this case even though krb5cc32s is running as the first user who started it? ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
