[krbdev.mit.edu #7820] gss_init_sec_context() can ignore time sync with keyring caches
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Thu Jan 16 17:05:03 EST 2014
I think the problem is that keyring ccaches created by
krb5_krcc_ptcursor_next do not look up the time offsets. In the case
where kg_cred_resolve gets a cache from the collection via
krb5_cc_select, krb5_krcc_resolve is not called and we don't get the time
offsets. In the case where kg_cred_resolve falls back to
krb5int_cc_default, krb5_krcc_resolve is called and we get offsets.
The fix is as simple as moving the time offset lookup code from
krb5_krcc_resolve() into make_cache().
(In the long term, we hope to make fetching the time offset from the
cache into an explicit operation, in order to better handle cases where
different realms have different KDC times.)
More information about the krb5-bugs
mailing list