cURL / Mailing Lists / curl-library / Single Mail


Re: Kerberos multiple principals having same realms issue.

From: Michael Osipov <>
Date: Fri, 18 Jul 2014 08:46:42 +0200

> Hi,
> We are observing issue when running curl under negotiate with multiple principals both having same realm(say user1/krbnet.com_at_EXAMPLE.COM and user2/krbnet.com_at_EXAMPLE.COM).
> We are using directory cache to update the cache with both the principals.
> kinit -kt user1/krbnet.com_at_EXAMPLE.COM
> kinit -kt user2/krbnet.com_at_EXAMPLE.COM
> curl library is loading only the primary credentials (here user2) in the Kerberos cache and working even though there are user1 and user2 credentials in the Kerberos cache.
> Is there any option in curl to specify the negotiate connection based on the principal?
> Can anybody suggest a way to work with curl if multiple Kerberos principals are present and both pointing to same realm.


this is obviously not a curl problem itself. You have two options for this:

1. Read MIT Kerberos documentation on DIR [1] and use kswitch
2. Patch curl to accept a UPN with -u michael-o_at_COMPANY.COM, import name,
pass along to gss_init_sec_context and hope that MIT Kerberos picks that up. (Not tried)


List admin:
Received on 2014-07-18