Ubuntu – How to change ccache type of MIT Kerberos

authenticationkerberosmitkerberossingle-sign-onUbuntu

The MIT Kerberos Documentation lists seven different ways to store Kerberos credentials:

  1. API
  2. DIR
  3. FILE
  4. KCM
  5. KEYRING
  6. MEMORY
  7. MSLSA

At the moment my Kerberos setup is storing credentials in a file in the /tmp
directory. In my krb5.conf file the ccache_type option is set to 4 by default:

# The following krb5.conf variables are only for MIT Kerberos.
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

And in the MIT Kerberos Documentation about the krb5.conf file it says about the ccache_type option:

This parameter determines the format of credential cache types created by kinit or other programs. The default value is 4, which represents the most current format. Smaller values can be used for compatibility with very old implementations of Kerberos which interact with credential caches on the same host.

It seems that the value of the ccache_type option does not correspond to the seven ccache types that the documentation lists. Since 4 specifies to use the "most current format" and not "KCM".

Therefore, my question is: How can I configure Kerberos to use a different ccache type, for example a keyring or memory?

Best Answer

You'll want to alter the KRB5CCACHE environmental variable. Usually you'll do this for all instances in krb5.conf as follows:

[libdefaults]
default_ccache_name = KEYRING:persistent:%{uid}

However, you can set it in other ways, e.g. export KRB5CCNAME=KEYRING:persistent:$(id -u).

Related Topic