Cache selection logic

Greg Hudson ghudson at MIT.EDU
Thu May 30 11:21:19 EDT 2013

On 05/30/2013 09:01 AM, Bernardo Pastorelli wrote:
> I create two LDAP sessions; in one of them I perform a bind for Administrator, in the other one I perform a bind for user1. In the kerberos cache (type DIR) I see a tgt and an ldap ticket for both Administrator and user1.
> Then, using the Administrator's LDAP session, I try searching the Active Directory. This operation fails.
> In the kerberos trace I see that the cache selection logic simply searches all the entries in the cache for a valid connection to the LDAP server [...]

If you're using an existing LDAP session, I don't think there should be
any ccache operations at all, because you shouldn't be creating a new
security context.  Can you look more closely at this code path, paying
particular attention to any logic resulting in calls to gss_acquire_cred
or gss_init_sec_context?

More information about the Kerberos mailing list