Add support for start_realm cache config When making TGS requests, if start_realm is set in the cache, use the named realm to look up the initial TGT for referral or cross-realm requests. (Also correct a comment in struct _tkt_creds_context: the ccache field is an owner pointer, not an alias.) Add an internal API k5_cc_store_primary_cred(), which sets start_realm if the cred being stored is a TGT for a realm other than the client realm. Use this API when acquiring initial tickets with a caller-specified output ccache, when renewing or validating tickets with kinit, when accepting a delegated credential in a GSS context, and when storing a single cred with kvno --out-cache. (cherry picked from commit 0d56740ab9fcc40dc7f46c6fbebdf8f1214f9d96) https://github.com/krb5/krb5/commit/58b4b38e104f0a73b7ac5700c1715a22bbb4604b Author: Greg Hudson Commit: 58b4b38e104f0a73b7ac5700c1715a22bbb4604b Branch: krb5-1.19 doc/formats/ccache_file_format.rst | 6 ++++++ src/clients/kinit/kinit.c | 2 +- src/clients/kvno/kvno.c | 5 ++++- src/include/k5-int.h | 4 ++++ src/lib/gssapi/krb5/accept_sec_context.c | 2 +- src/lib/krb5/ccache/ccfns.c | 20 ++++++++++++++++++++ src/lib/krb5/krb/get_creds.c | 28 +++++++++++++++++++++------- src/lib/krb5/krb/get_in_tkt.c | 2 +- src/lib/krb5/libkrb5.exports | 1 + src/lib/krb5_32.def | 3 +++ src/tests/t_crossrealm.py | 8 ++++++++ src/tests/t_pkinit.py | 3 +++ 12 files changed, 73 insertions(+), 11 deletions(-)