@mmmunafo,   I guess your workaround should be OK.  The only other two option I could see would be to wrap the pam.authenticate() call with an unset and set of KRB5CCNAME.  Assuming authentication takes milliseconds, it would be unlikely that Hue is attempting to retrieve cache information at that moment, but I don't know that it is any better than what you are up to.   for instance, in desktop/core/src/desktop/auth/backend.py   wrap:   if pam.authenticate(username, password, desktop.conf.AUTH.PAM_SERVICE.get()):   With del os.environ['KRB5CCNAME'] and then after auth:   os.environ['KRB5CCNAME'] = desktop.conf.KERBEROS.CCACHE_PATH.get()   NOTE:  we would need to import os in backend.py to do that.   So possibly, something like this would work:   class PamBackend(DesktopBackendBase): """ Authentication backend that uses PAM to authenticate logins. The first user to login will become the superuser. """ @metrics.pam_authentication_time def authenticate(self, request=None, username=None, password=None): username = force_username_case(username) del os.environ['KRB5CCNAME'] if pam.authenticate(username, password, desktop.conf.AUTH.PAM_SERVICE.get()): os.environ['KRB5CCNAME'] = desktop.conf.KERBEROS.CCACHE_PATH.get() is_super = False if User.objects.count() == 0: is_super = True try: if desktop.conf.AUTH.IGNORE_USERNAME_CASE.get(): user = User.objects.get(username__iexact=username) else: user = User.objects.get(username=username) except User.DoesNotExist: user = find_or_create_user(username, None) if user is not None and user.is_active: profile = get_profile(user) profile.creation_method = UserProfile.CreationMethod.EXTERNAL.name profile.save() user.is_superuser = is_super ensure_has_a_group(user) user.save() user = rewrite_user(user) return user os.environ['KRB5CCNAME'] = desktop.conf.KERBEROS.CCACHE_PATH.get() return None @classmethod def manages_passwords_externally(cls): return True Might not be worth it, though ... View more