[krbdev.mit.edu #5697] make ccache handle referrals better
Tom Yu via RT
rt-comment at krbdev.mit.edu
Tue Aug 28 20:10:45 EDT 2007
In bug reports such as
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=436512
and ticket #5663 it appears that the referrals support causes some
problems in the following cases:
1. pre-existing cred having explicit service realm can't be found in
ccache when looking up a principal name with empty realm from
sname_to_princ
2. pre-existing cred having empty realm or different service realm
from actual encoded ticket can't be found in ccache when looking up
a principal name with the "correct" realm
Both of these can cause excess network traffic as the client attempts
to get another copy of ticket which it already has.
For (1), cause krb5_cc_retrieve_cred to search using the client
principal's realm as the service princpal's realm if a search with an
empty service realm fails.
For (2), cause krb5_cc_store_cred to compare the service principal
(perhaps only the realm) in the cred against the principal in the
actual ticket. If they differ, store using both principal names.
These should be implemented independently of the back ends, i.e. the
krb5_cc_* interfaces will no longer be simple wrappers around a call
through a function pointer. The above solutions will also help in
cases where a ccache is shared between multiple implementations.
More information about the krb5-bugs
mailing list