Your company here, and a link to your site. Click to find out more.

kcm - Man Page

process-based credential cache for Kerberos tickets.


kcm[--cache-name=cachename] [-c file | --config-file=file] [-g group | --group=group] [--max-request=size] [--disallow-getting-krbtgt] [--detach] [-h | --help] [-k principal | --system-principal=principal] [-l time | --lifetime=time] [-m mode | --mode=mode] [-n | --no-name-constraints] [-r time | --renewable-life=time] [-s path | --socket-path=path] [--door-path=path] [-S principal | --server=principal] [-t keytab | --keytab=keytab] [-u user | --user=user] [-v | --version]


kcm is a process based credential cache. To use it, set the KRB5CCNAME environment variable to ‘KCM:uid’ or add the stanza

        default_cc_name = KCM:%{uid}

to the /etc/krb5.conf configuration file and make sure kcm is started in the system startup files.

The kcm daemon can hold the credentials for all users in the system. Access control is done with Unix-like permissions. The daemon checks the access on all operations based on the uid and gid of the user. The tickets are renewed as long as is permitted by the KDC's policy.

The kcm daemon can also keep a SYSTEM credential that server processes can use to access services. One example of usage might be an nss_ldap module that quickly needs to get credentials and doesn't want to renew the ticket itself.

Supported options:


system cache name

-c file, --config-file=file

location of config file

-g group, --group=group

system cache group


max size for a kcm-request


disallow extracting any krbtgt from the kcm daemon.


detach from console

-h, --help
-k principal, --system-principal=principal

system principal name

-l time, --lifetime=time

lifetime of system tickets

-m mode, --mode=mode

octal mode of system cache

-n, --no-name-constraints

disable credentials cache name constraints

-r time, --renewable-life=time

renewable lifetime of system tickets

-s path, --socket-path=path

path to kcm domain socket


path to kcm door socket

-S principal, --server=principal

server to get system ticket for

-t keytab, --keytab=keytab

system keytab name

-u user, --user=user

system cache owner

-v, --version


May 29, 2005