krb5 commit: Avoid large numbers of refresh_time cache entries

ghudson at mit.edu ghudson at mit.edu
Wed Jul 16 21:12:21 EDT 2025 

https://github.com/krb5/krb5/commit/a656a739721868d6b271c73a0e2785de687c3bc5
commit a656a739721868d6b271c73a0e2785de687c3bc5
Author: Greg Hudson <ghudson at mit.edu>
Date:   Mon Jul 7 17:22:47 2025 -0400

    Avoid large numbers of refresh_time cache entries
    
    Commit 729896467e3c77904666019d6cbbda583ae49b95 amended
    kg_cred_time_to_refresh() to attempt a refresh from a client keytab
    when creds are close to expiration, even if no refresh_time config
    entry is set (as would be the case if the creds were acquired from a
    client keytab in the first place).  The added conditional sets a
    refresh_time config entry, which is unhelpful as it has no
    corresponding check for one.  kg_cred_time_to_refresh() is called
    before can_get_initial_creds(), so we add a config entry on every
    acquire_cred call when the creds are expired or close to expired, even
    with no accessible keytab.  Remove the set_refresh_time() call to
    avoid this inefficient behavior.
    
    ticket: 9179 (new)
    tags: pullup
    target_version: 1.22-next

 src/lib/gssapi/krb5/acquire_cred.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
index d49ad07ea..aa1a486dc 100644
--- a/src/lib/gssapi/krb5/acquire_cred.c
+++ b/src/lib/gssapi/krb5/acquire_cred.c
@@ -546,8 +546,7 @@ set_refresh_time(krb5_context context, krb5_ccache ccache,
     krb5_clear_error_message(context);
 }
 
-/* Return true if it's time to refresh cred from the client keytab.  If
- * returning true, avoid retrying for 30 seconds. */
+/* Return true if it's time to refresh cred from the client keytab. */
 krb5_boolean
 kg_cred_time_to_refresh(krb5_context context, krb5_gss_cred_id_rec *cred)
 {
@@ -556,17 +555,18 @@ kg_cred_time_to_refresh(krb5_context context, krb5_gss_cred_id_rec *cred)
     if (krb5_timeofday(context, &now))
         return FALSE;
     soon = ts_incr(now, 30);
+
+    /* If a refresh time is set and has elapsed, attempt a refresh, and set a
+     * new refresh time to avoid retrying for 30 seconds. */
     if (cred->refresh_time != 0 && !ts_after(cred->refresh_time, now)) {
         set_refresh_time(context, cred->ccache, soon);
         return TRUE;
     }
 
-    /* If the creds will expire soon, try to refresh even if they weren't
+    /* If the creds will expire soon, attempt a refresh even if they weren't
      * acquired with a client keytab. */
-    if (ts_after(soon, cred->expire)) {
-        set_refresh_time(context, cred->ccache, soon);
+    if (ts_after(soon, cred->expire))
         return TRUE;
-    }
 
     return FALSE;
 }

More information about the cvs-krb5 mailing list