X-CACHECONF in cache type 0504

Tim Alsop Tim at cybersafe.com
Thu Nov 18 13:27:46 EST 2010


We found that we use MIT 1.8 kinit with Active Directory 2003 domain (not
supporting fast) and then use our own klist to list the credentials cache,
we get the following result.

-bash-3.00$ /opt/mitkrb5-1.8.1/bin/kinit -a
Password for scheruku at DEV.LOCAL:
-bash-3.00$ klist -efK
          Cache Type: Kerberos V5 Credentials Cache
          Cache File: /krb5/tmp/cc/krb5cc_4001
       Cache Version: 0504
   Default Principal: scheruku at DEV.LOCAL

Valid From                    Expires                       Service
----------------------------  ----------------------------
Thu 18 Nov 2010 17:44:46 IST  Fri 19 Nov 2010 03:44:48 IST
         Renew Until: Fri 19 Nov 2010 17:44:46 IST
   Session Key EType: 23 (RC4-HMAC-MD5)
        Ticket EType: 23 (RC4-HMAC-MD5)
    KVNO from Ticket:  2
        Ticket Flags: RIA
Thu 01 Jan 1970 05:30:00 IST  Thu 01 Jan 1970 05:30:00 IST
krb5_ccache_conf_data/fast_avail/krbtgt\/DEV.LOCAL\@DEV.LOCAL at X-CACHECONF:

How do you explain this extra cache entry if Active Directory is being
used, which is not supporting FAST ?


On 18/11/2010 18:18, "Greg Hudson" <ghudson at mit.edu> wrote:

>On Thu, 2010-11-18 at 13:07 -0500, Frank Cusack wrote:
>> I find it interesting that kinit puts this info in the ccache and
>> kinit -R removes it.
>That's an implementation imperfection, but it's not terribly important
>just yet.  The config entry is used to determine whether the KDC has
>FAST support, and is currently only used when the caller supplies an
>armor ccache to krb5_get_init_creds.  We don't really expect people to
>use renewed credentials as armor ccaches.
>When we implement client-side FAST TGS support it will probably become

More information about the krbdev mailing list