How to set the Kerberos default_ccache_name attribute on a client without using KRB5CCNAME?

Squirrel picture Squirrel · Apr 20, 2015 · Viewed 20.5k times · Source

According to the MIT Kerberos documentation, the default credential cache name is determined as follows:

Default ccache name

The default credential cache name is determined by the following, in descending order of priority:

1. The KRB5CCNAME environment variable. For example, KRB5CCNAME=DIR:/mydir/.
2. The default_ccache_name profile variable in [libdefaults].
3. The hardcoded default, DEFCCNAME.

http://web.mit.edu/kerberos/krb5-devel/doc/basic/ccache_def.html

I'm wondering if there's a way to define default_ccache_name profile variable (#2) on the client side? I've tried defining it as follows in /etc/krb5.conf on one of my client machines:

[libdefaults]
        ...
        default_ccache_name = FILE:/var/krb5/security/creds/krb5cc_%{uid}
        ...

But the client binaries (klist / kinit / kdestroy etc.) seem to ignore this completely:

[~]$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_34125)

I'm running version 1.9.4:

[~]$ klist -V
Kerberos 5 version 1.9.4

Answer

Squirrel picture Squirrel · Apr 20, 2015

Drat, I think I found my own answer -- version 1.9.4 doesn't have this parameter:

http://web.mit.edu/kerberos/www/krb5-1.9/krb5-1.9.4/doc/krb5-admin.html

It would help to look in the right documentation...