Can't acquire stored impersonated creds from cache
Martin Gee
geemang_2000 at yahoo.com
Mon Sep 21 09:03:26 EDT 2015
OK, I was testing added it via kinit -k -l (shorter life) to see if it would refresh (and it wasn't).
Seems my KDC gives out 10 hr tickets.
QQ) what happens after the "renew until date" expires? I'm assuming I'd need to destroy?
On Monday, September 21, 2015 12:05 AM, Greg Hudson <ghudson at mit.edu> wrote:
On 09/20/2015 06:29 PM, Martin Gee wrote:
> On that note, it seems creds / tickets don't refresh either. I'm using
> gss_acquire_cred (to get the TGT). from: Developing with GSSAPI — MIT
> Kerberos Documentation
> <http://web.mit.edu/kerberos/krb5-latest/doc/appdev/gssapi.html>
> "If the krb5 mechanism acquires initial tickets using the default client
> keytab, the resulting tickets will be stored in the default cache or
> collection, and will be refreshed by future calls togss_acquire_cred
> <http://tools.ietf.org/html/rfc2744.html#section-5.2> as they approach
> their expire time."
> Seems the docs describe something that doesn't exist in the the code.
That functionality does exist, if the TGT was initially acquired using
gss_acquire_cred() with a client keytab. If you ran kinit -k by hand to
populate the ccache, those creds will not be automatically refreshed.
More information about the Kerberos
mailing list