[28391] in Kerberos
Re: [-SPAM-] Re: Question about krb5_get_renewed_creds
daemon@ATHENA.MIT.EDU (Markus Moeller)
Mon Sep 10 17:27:36 2007
Message-ID: <065801c7f3f1$5ade3b50$0801a8c0@home>
From: "Markus Moeller" <huaraz@moeller.plus.com>
To: <jaltman@secure-endpoints.com>
Date: Mon, 10 Sep 2007 22:26:51 +0100
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Jeffrey,
when you say destroy tickets do you use krb5_cc_remove_cred ? How can I do
it for memory caches as remove_cred isn't supported.?
Thank you
Markus
----- Original Message -----
From: "Jeffrey Altman" <jaltman@secure-endpoints.com>
To: <huaraz@moeller.plus.com>
Cc: <kerberos@mit.edu>
Sent: Monday, September 10, 2007 8:27 PM
Subject: [-SPAM-] Re: Question about krb5_get_renewed_creds
> Markus Moeller wrote:
>> My application tries to renew credentials with krb5_get_renewed_cred
>> about
>> every 5 minutes for the default principal. Will a following
>> gss_init_sec_context request a new service principal or do I need to call
>> krb5_get_renewed_cred also for the service principal ?
>> I see the following when renewing and storing the credentials on Windows
>> and
>> gss_init_sec_context fails with ticket expired as it doesn't seem to
>> attempt to renew the service principal with the maximal krbtgt (here
>> 19:39:57) expiry time but uses the initial expiry time of 19:29:47.
> Markus:
>
> krb5_get_renewed_creds() only renews the single service ticket that is
> specified
> as the in_tkt_service parameter or the TGT if none is specified. It
> does not
> modify any of the other credentials in the cache.
>
> Ticket managers such as NIM's krb5 identity provider destroy the tickets
> other
> than the TGT when renewing the TGT. This forces the acquisition of new
> service
> tickets.
>
> Jeffrey Altman
>
>
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos