Credential Cache and Keytab File Compatibility

As of the fifth beta release of Kerberos V5, three versions of formats for the credential cache file and two for the keytab file exist.

Not all of the file formats are compatible with one another. For example, an older Kerberos V5 client that writes credential cache files in the Version 1 format will not be able to read credential caches in a Version 2 or 3 format. The following tables describe the compatibility of credential cache and keytab files.

Credential Cache Files

Release	Kerberos V5 (Version 1)	Kerberos V5 (Version 2)	Kerberos V5 (Version 3)
DCE 1.0 or Kerberos V5 beta 1	yes	no	no
Kerberos V5 beta 2-3	no	yes	no
DCE 1.1-1.2.1 or Kerberos V5 beta 4	yes	yes	no
DCE 1.2.2 or Kerberos V5 beta 5-7	yes	yes	yes

A defect in the Beta 2 and Beta 3 releases of Kerberos V5 prevented compatibility with files created in the Version 1 format, which was fixed in Beta 4.

Keytab Files

Release	Kerberos V5 (Version 1)	Kerberos V5 (Version 2)
DCE 1.0 or Kerberos V5 beta 1	yes	no
Kerberos V5 beta 2-3	no	yes
DCE 1.1-1.2.2 or Kerberos V5 beta 4-7	yes	yes

The credential cache and keytab file format that DCE clients use can be set with the dcecp hostvar set command. The default format for both files is Version 1. You may change this on a per-host basis to allow Kerberos V5 applications to run on your DCE client and to share keytab and credential files.

For example, use the following dcecp command to set the version number format of the Kerberos V5 credential cache file to 3:

dcecp> hostvar set -krbccachevno 3
dcecp>

To set the version number format of the Kerberos V5 keytab file to 2:

dcecp> hostvar set -krbktvno 2
dcecp>

To display the current settings:

dcecp> hostvar show -krbccachevno -krbktvno
dcecp>

See the dcecp reference page for more information. For the changes to take effect, stop and restart the DCE daemons on the host.