[krbdev.mit.edu #8210] getting cross-realm TGTs makes inefficient use of the credentials cache
Benjamin Kaduk via RT
rt-comment at krbdev.mit.edu
Wed Jun 24 12:31:42 EDT 2015
in src/lib/krb5/krb/get_creds.c:begin_get_tgt(), we first check if there is a cached copy of the
desired foreign TGT. If not, we fall back to getting the local TGT and walking the full capath
starting from the local realm, ignoring any cached intermediate TGTs if the capath is nontrivial.
Since the windows LSA cache denies access to the session key for cross-realm TGTs as well as
local TGTs, fixing this issue is unlikely to cause any behavior change, so it remains just a slight
inefficiency.
More information about the krb5-bugs
mailing list