Credential cache searching, ccapi and file caches

Alexandra Ellwood lxs at MIT.EDU
Thu Jul 15 16:14:57 EDT 2004

On Jul 15, 2004, at 3:30 PM, Matt Crawford wrote:

>> As a result of the way that KLL searches for a valid TGT before it 
>> tries to get new tickets, it also only creates one ccache per client 
>> principal.  If KLL needs to use tickets for a client principal and 
>> the existing tickets are expired, KLL will overwrite the existing 
>> ccache with any newly acquired tickets rather than creating a new one 
>> and leaving the old expired tickets behind.
> A side comment, which may amount to a request:
> I recall old behavior in MIT Kerberos on Unix that if a needed service 
> ticket was expired, the client would error out even if the TGT was 
> still valid.  This could happen if the maxlife for a service's 
> principal were short. Since setting a shorter maxlife for some 
> services (or even all services) could be useful, I'm hoping this 
> behavior either has been or will be modified.

The KLL does not change the behavior of krb5 in this case.  If the TGT 
is valid, the KLL will pass the cache back into the krb5 library 
without prompting for new tickets.  If the service ticket already 
exists and is expired, the krb5 library will behaves as it normally 
does -- which I assume is to error out, not get a new service ticket.

Alexandra Ellwood                                           lxs at
MIT Information Services & Technology 

More information about the krbdev mailing list