[-SPAM-] Re: Question about krb5_get_renewed_creds
Markus Moeller
huaraz at moeller.plus.com
Mon Sep 10 17:26:51 EDT 2007
Jeffrey,
when you say destroy tickets do you use krb5_cc_remove_cred ? How can I do
it for memory caches as remove_cred isn't supported.?
Thank you
Markus
----- Original Message -----
From: "Jeffrey Altman" <jaltman at secure-endpoints.com>
To: <huaraz at moeller.plus.com>
Cc: <kerberos at mit.edu>
Sent: Monday, September 10, 2007 8:27 PM
Subject: [-SPAM-] Re: Question about krb5_get_renewed_creds
> Markus Moeller wrote:
>> My application tries to renew credentials with krb5_get_renewed_cred
>> about
>> every 5 minutes for the default principal. Will a following
>> gss_init_sec_context request a new service principal or do I need to call
>> krb5_get_renewed_cred also for the service principal ?
>> I see the following when renewing and storing the credentials on Windows
>> and
>> gss_init_sec_context fails with ticket expired as it doesn't seem to
>> attempt to renew the service principal with the maximal krbtgt (here
>> 19:39:57) expiry time but uses the initial expiry time of 19:29:47.
> Markus:
>
> krb5_get_renewed_creds() only renews the single service ticket that is
> specified
> as the in_tkt_service parameter or the TGT if none is specified. It
> does not
> modify any of the other credentials in the cache.
>
> Ticket managers such as NIM's krb5 identity provider destroy the tickets
> other
> than the TGT when renewing the TGT. This forces the acquisition of new
> service
> tickets.
>
> Jeffrey Altman
>
>
>
More information about the Kerberos
mailing list