Can kerberos api handle parallel TGT access?

Greg Hudson ghudson at MIT.EDU
Sun Sep 22 00:34:32 EDT 2013


On 09/21/2013 10:08 PM, shuaijie wang wrote:
> Is it OK for these two processes to manipulate the same TGT using krb5 api
> simultaneously? Can krb5 API handle this parallelism? If krb5 API can
> handle this, then it can relieve me from adding synchronization logic in my
> processes.

Once a credential cache is created, it is okay for multiple processes to 
access it in parallel.  The worst that will happen is that you might get 
multiple copies of a service ticket.

Renewing or reinitializing the cache with a new TGT is currently not 
atomic.  This is a known limitation; we have discussed some possible 
solutions but don't have a schedule for solving it.  For FILE ccaches, 
you can put the new ccache into a temporary file in the same directory 
and rename it into place, and I believe k5start does this.



More information about the Kerberos mailing list