Making the CCacheServer Kerberos Ticket server actually Work(tm) on OSX

If you’re wondering why the CCacheServer daemon, that caches in memory Kerberos tickets obtained via kinit(1) is NOT starting .. that’s because of a strange bug regarding the LimitLoadToSessionType specified into the agent .plist, located into

/System/Library/LaunchAgents/edu.mit.kerberos.CCacheServer.plist

on OSX 10.5 systems.

You simply have to comment out these two lines:


<key>LimitLoadToSessionType</key>
<string>Background</string>
And either launchctl load \ /System/Library/LaunchAgents/edu.mit.kerberos.CCacheServer.plist or reboot your system ;).

CCacheServer will then be instantiated when you do a kinit:


$ <b>kinit</b>
Please enter the password for vjt@DOMAIN.LOCAL: 

$ <b>klist</b>
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: vjt@DOMAIN.LOCAL

Valid Starting     Expires            Service Principal
11/12/08 20:59:35  11/13/08 06:59:14  krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL
    renew until 11/19/08 20:59:35

The bug is strange because the LimitLoadToSessionType key actually should instruct launchd to automatically start up the daemon and run it once for every logged in user, when kinit asks its services. But, if the key is set in the .plist, a launchctl load on it fails with “nothing found to load”. Weird!

Creative Commons License

About this entry