[krbdev.mit.edu #9179] git commit
Greg Hudson via RT
rt at krbdev.mit.edu
Mon Aug 4 17:44:09 EDT 2025
<URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=9179 >
Avoid large numbers of refresh_time cache entries
Commit 729896467e3c77904666019d6cbbda583ae49b95 amended
kg_cred_time_to_refresh() to attempt a refresh from a client keytab
when creds are close to expiration, even if no refresh_time config
entry is set (as would be the case if the creds were acquired from a
client keytab in the first place). The added conditional sets a
refresh_time config entry, which is unhelpful as it has no
corresponding check for one. kg_cred_time_to_refresh() is called
before can_get_initial_creds(), so we add a config entry on every
acquire_cred call when the creds are expired or close to expired, even
with no accessible keytab. Remove the set_refresh_time() call to
avoid this inefficient behavior.
(cherry picked from commit a656a739721868d6b271c73a0e2785de687c3bc5)
https://github.com/krb5/krb5/commit/4bb7cb8978450119c14c4168f67b17654ba1419f
Author: Greg Hudson <ghudson at mit.edu>
Commit: 4bb7cb8978450119c14c4168f67b17654ba1419f
Branch: krb5-1.22
src/lib/gssapi/krb5/acquire_cred.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
More information about the krb5-bugs
mailing list