Question about krb5_get_renewed_creds

Jeffrey Altman jaltman at secure-endpoints.com
Mon Sep 10 15:27:01 EDT 2007


Markus Moeller wrote:
> My application tries to renew credentials with  krb5_get_renewed_cred about 
> every 5 minutes for the default principal. Will a following 
> gss_init_sec_context request a new service principal or do I need to call 
> krb5_get_renewed_cred also for the service principal ?
> I see the following when renewing and storing the credentials on Windows and 
> gss_init_sec_context  fails with ticket expired as it doesn't seem to 
> attempt to renew the service principal with the maximal krbtgt (here 
> 19:39:57) expiry time but uses the initial expiry time of 19:29:47.
Markus:

krb5_get_renewed_creds() only renews the single service ticket that is
specified 
as the in_tkt_service parameter or the TGT if none is specified.   It
does not
modify any of the other credentials in the cache.

Ticket managers such as NIM's krb5 identity provider destroy the tickets
other
than the TGT when renewing the TGT.  This forces the acquisition of new
service
tickets.

Jeffrey Altman


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20070910/0c07af57/attachment.bin


More information about the Kerberos mailing list