Credential cache collections are new in release 1.10, with support from the DIR and API ccache types.
In release 1.12, the KEYRING ccache type also supports collections.
Because mapping does not become an issue until the client computer tries to access a service, domain to REALM mapping problems do not affect initial ticket requests (TGTs).
When mapping problems exist, service ticket requests may fail or access to Kerberized services may fail.
Do not rule out one of these issues just because there is not an obvious pointer to it. Time differences are a common factor when dealing with Kerberos configuration.
Kerberos requires that all the computers in the environment have system times within 5 minutes of one another.
If in doubt about the validity of the key table, move (rename) the existing one and create a new file.
A credential cache usually contains one initial ticket which is obtained using a password or another form of identity verification.
Many UNIX implementations support the SHA1 encryption type, but Active Directory does not. Although these encryption types are not as secure as RC4-HMAC and SHA1, they have been selected for this document because of their universal support.
In a Kerberos environment, both a client (a user) and a server (the server side component of an application) must have a key (a password).
When you begin troubleshooting a Kerberos problem, there are a few common trouble-spots that you should check first: In some cases, it will be obvious when troubleshooting which of these, if any, is the cause of the problem.
For instance, when there is a clock skew problem, you may see a clock skew error.