[krbdev.mit.edu #8579] duplicate caching of some cross-realm TGTs
"Richard E. Silverman" via RT
rt-comment at krbdev.mit.edu
Mon Apr 24 14:56:11 EDT 2017
> So I think my preferred solution for this scenario is to change
> get_cred.c not to cache answers it didn't ask for.
This makes sense to me, and it also (I think) solves another problem I’ve run into that I’ve dubbed “ccache poisoining.†If a client receives an inaccurate referral and caches it, the cached referral can prevent the client from following an available successful path for a different service ticket later on. Of course, the incorrect referral is the root problem, but these things happen in complex multi-platform/realm arrangements, so it’s nice to contain the breakage.
--
Richard
More information about the krb5-bugs
mailing list