Credential cache searching, ccapi and file caches
Alexandra Ellwood
lxs at MIT.EDU
Thu Jul 15 16:14:57 EDT 2004
On Jul 15, 2004, at 3:30 PM, Matt Crawford wrote:
>> As a result of the way that KLL searches for a valid TGT before it
>> tries to get new tickets, it also only creates one ccache per client
>> principal. If KLL needs to use tickets for a client principal and
>> the existing tickets are expired, KLL will overwrite the existing
>> ccache with any newly acquired tickets rather than creating a new one
>> and leaving the old expired tickets behind.
>
> A side comment, which may amount to a request:
>
> I recall old behavior in MIT Kerberos on Unix that if a needed service
> ticket was expired, the client would error out even if the TGT was
> still valid. This could happen if the maxlife for a service's
> principal were short. Since setting a shorter maxlife for some
> services (or even all services) could be useful, I'm hoping this
> behavior either has been or will be modified.
The KLL does not change the behavior of krb5 in this case. If the TGT
is valid, the KLL will pass the cache back into the krb5 library
without prompting for new tickets. If the service ticket already
exists and is expired, the krb5 library will behaves as it normally
does -- which I assume is to error out, not get a new service ticket.
--lxs
-----------------------------------------------------------------------
Alexandra Ellwood lxs at mit.edu
MIT Information Services & Technology http://mit.edu/lxs/www/
-----------------------------------------------------------------------
More information about the krbdev
mailing list