By default, the kerberos credential cache is in /tmp/krb5cc_$userid, with $userid changing for each user of course. There is the possibility to change it, and we tried:
https://gerrit.wikimedia.org/r/#/c/operations/puppet/+/594516/
https://gerrit.wikimedia.org/r/#/c/operations/puppet/+/594519/
etc..
The idea was to move the default ccache location to /run/user/$userid/krb_cred, since it is a better location in a systemd environment (/run/user is on tmpfs, so flushed at every reboot, and also more standard for user settings than /tmp) but for a variety of reason it didn't work.
By default Java uses /tmp and it doesn't read /etc/krb.conf or similar to pick up different values, but it seems only using the KRB5CCNAME environment variable. We thought that simply exporting it by default in some place like /etc/profile.d was enough, but it turned out to not work with tools like Jupyterhub straight out of the box.
One of the major benefits of not having the credential cache under /tmp is that it wouldn't cause consistency issues with PrivateTmp settings for daemons running via systemd, most notably nagios NRPE and Jupyter notebooks. In the nagios use case, our /mnt/hdfs readability checks cannot run easily since kerberos-run-command populates the system /tmp, meanwhile the nagios server (who forks the check to run) uses a private tmp. In the Jupyter use case, every unit representing a user's notebook is not able to pick up "system tmp" krb credentials for the user, and requires the usage of the Jupyter terminal to kinit (creating multiple TGT with different lifetimes).