Can kerberos api handle parallel TGT access?
Greg Hudson
ghudson at MIT.EDU
Sun Sep 22 00:34:32 EDT 2013
On 09/21/2013 10:08 PM, shuaijie wang wrote:
> Is it OK for these two processes to manipulate the same TGT using krb5 api
> simultaneously? Can krb5 API handle this parallelism? If krb5 API can
> handle this, then it can relieve me from adding synchronization logic in my
> processes.
Once a credential cache is created, it is okay for multiple processes to
access it in parallel. The worst that will happen is that you might get
multiple copies of a service ticket.
Renewing or reinitializing the cache with a new TGT is currently not
atomic. This is a known limitation; we have discussed some possible
solutions but don't have a schedule for solving it. For FILE ccaches,
you can put the new ccache into a temporary file in the same directory
and rename it into place, and I believe k5start does this.
More information about the Kerberos
mailing list