Credential cache searching, ccapi and file caches

Matt Crawford crawdad at
Thu Jul 15 15:30:50 EDT 2004

> As a result of the way that KLL searches for a valid TGT before it 
> tries to get new tickets, it also only creates one ccache per client 
> principal.  If KLL needs to use tickets for a client principal and the 
> existing tickets are expired, KLL will overwrite the existing ccache 
> with any newly acquired tickets rather than creating a new one and 
> leaving the old expired tickets behind.

A side comment, which may amount to a request:

I recall old behavior in MIT Kerberos on Unix that if a needed service 
ticket was expired, the client would error out even if the TGT was 
still valid.  This could happen if the maxlife for a service's 
principal were short. Since setting a shorter maxlife for some services 
(or even all services) could be useful, I'm hoping this behavior either 
has been or will be modified.

More information about the krbdev mailing list