The TGS code was not freeing authdata. This is an old leak which was made more evident in 1.8 by the addition of ad-signedpath authdata appearing in most tickets issued through the TGS path. http://src.mit.edu/fisheye/changelog/krb5/?cs=23735 Commit By: ghudson Revision: 23735 Changed Files: U trunk/src/kdc/do_tgs_req.c