X-CACHECONF in cache type 0504
Tim Alsop
Tim at cybersafe.com
Thu Nov 18 13:27:46 EST 2010
Greg,
We found that we use MIT 1.8 kinit with Active Directory 2003 domain (not
supporting fast) and then use our own klist to list the credentials cache,
we get the following result.
-bash-3.00$ /opt/mitkrb5-1.8.1/bin/kinit -a
Password for scheruku at DEV.LOCAL:
-bash-3.00$ klist -efK
Cache Type: Kerberos V5 Credentials Cache
Cache File: /krb5/tmp/cc/krb5cc_4001
Cache Version: 0504
Default Principal: scheruku at DEV.LOCAL
Valid From Expires Service
Principal
---------------------------- ----------------------------
-----------------
Thu 18 Nov 2010 17:44:46 IST Fri 19 Nov 2010 03:44:48 IST
krbtgt/DEV.LOCAL at DEV.LOCAL
Renew Until: Fri 19 Nov 2010 17:44:46 IST
Session Key EType: 23 (RC4-HMAC-MD5)
Ticket EType: 23 (RC4-HMAC-MD5)
KVNO from Ticket: 2
Ticket Flags: RIA
Address: 10.100.1.63
Thu 01 Jan 1970 05:30:00 IST Thu 01 Jan 1970 05:30:00 IST
krb5_ccache_conf_data/fast_avail/krbtgt\/DEV.LOCAL\@DEV.LOCAL at X-CACHECONF:
How do you explain this extra cache entry if Active Directory is being
used, which is not supporting FAST ?
Thanks,
Tim
On 18/11/2010 18:18, "Greg Hudson" <ghudson at mit.edu> wrote:
>On Thu, 2010-11-18 at 13:07 -0500, Frank Cusack wrote:
>> I find it interesting that kinit puts this info in the ccache and
>> kinit -R removes it.
>
>That's an implementation imperfection, but it's not terribly important
>just yet. The config entry is used to determine whether the KDC has
>FAST support, and is currently only used when the caller supplies an
>armor ccache to krb5_get_init_creds. We don't really expect people to
>use renewed credentials as armor ccaches.
>
>When we implement client-side FAST TGS support it will probably become
>relevant.
>
>
More information about the krbdev
mailing list