[-SPAM-] Re: Question about krb5_get_renewed_creds

Markus Moeller huaraz at moeller.plus.com
Mon Sep 10 17:26:51 EDT 2007


Jeffrey,

when you say destroy tickets do you use krb5_cc_remove_cred ? How can I do 
it for memory caches as remove_cred isn't supported.?

Thank you
Markus

----- Original Message ----- 
From: "Jeffrey Altman" <jaltman at secure-endpoints.com>
To: <huaraz at moeller.plus.com>
Cc: <kerberos at mit.edu>
Sent: Monday, September 10, 2007 8:27 PM
Subject: [-SPAM-] Re: Question about krb5_get_renewed_creds


> Markus Moeller wrote:
>> My application tries to renew credentials with  krb5_get_renewed_cred 
>> about
>> every 5 minutes for the default principal. Will a following
>> gss_init_sec_context request a new service principal or do I need to call
>> krb5_get_renewed_cred also for the service principal ?
>> I see the following when renewing and storing the credentials on Windows 
>> and
>> gss_init_sec_context  fails with ticket expired as it doesn't seem to
>> attempt to renew the service principal with the maximal krbtgt (here
>> 19:39:57) expiry time but uses the initial expiry time of 19:29:47.
> Markus:
>
> krb5_get_renewed_creds() only renews the single service ticket that is
> specified
> as the in_tkt_service parameter or the TGT if none is specified.   It
> does not
> modify any of the other credentials in the cache.
>
> Ticket managers such as NIM's krb5 identity provider destroy the tickets
> other
> than the TGT when renewing the TGT.  This forces the acquisition of new
> service
> tickets.
>
> Jeffrey Altman
>
>
> 





More information about the Kerberos mailing list