init_sec_context() stores a sub, sub domain tgt without deleting existing one causing Memory Leak - (KRB5_GC_NO_STORE).
Greg Hudson
ghudson at mit.edu
Fri May 12 19:40:47 EDT 2017
On 05/12/2017 03:49 PM, Rahul G wrote:
> I observed that when a user from a sub sub domain (three levels down from
> top) makes a request, *init_sec_context *function* (which eventually calls
> get_creds.c)*
> stores the TGT of the sub sub domain in the ccache.
> Problem is, when a another user from the same domain makes a request, it
> stores the same TGT again and
> the cache now has 2 copies of the same TGT, and this continues for every
> user thereby increasing the memory used by the process.
This sounds like a variant of
http://krbdev.mit.edu/rt/Ticket/Display.html?id=8579 where the KDC
response is an alternate TGT. We recently committed a change to master
to fix that problem:
https://github.com/krb5/krb5/commit/1dc619624421002b1e64d3b8c7e270508381b3e6
Unfortunately we don't put out KfW releases very often, but if you're
prepared to rebuild KfW from source code you could apply that patch.
More information about the kfwdev
mailing list