Skip Menu |

Date: Sun, 28 Mar 2021 12:36:21 -0400
Subject: KCM interop issue with KRB5_TC_ flags
MIT krb5 defines KRB5_TC_ flag bits from 0x1 to 0x200.  Heimdal defines them from 1<<31 to 1<<22 so that the same flag word can also contain KRB5_GC_ flags (see lib/krb5/get_cred.c:check_cc() for instance).

In the KCM protocol, flag words containing KRB5_TC_ flag bits are used in the RETRIEVE and REMOVE_CRED operations.  We don't currently use RETRIEVE, but we do use REMOVE_CRED.  If any flags are specified for this operation, Heimdal/Apple KCM servers won't see our flags and sssd won't see their flags.
Subject: git commit

Fix KCM flag transmission for remove_cred

MIT krb5 uses low bits for KRB5_TC flags, while Heimdal uses high bits
so that the same flag word can also hold KRB5_GC flags. Add a mapping
function and send the Heimdal flag values when performing a
remove_cred operation.
Author: Greg Hudson <>
Commit: 11a82cf424f9c905bb73680c64524f087090d4ef
Branch: master
src/include/kcm.h | 19 +++++++++++++++++++
src/lib/krb5/ccache/cc_kcm.c | 36 +++++++++++++++++++++++++++++++++++-
2 files changed, 54 insertions(+), 1 deletions(-)