[36305] in Kerberos
Client keytab ignored when CC has expired
daemon@ATHENA.MIT.EDU (Michael Osipov)
Tue Jul 29 16:51:06 2014
Message-ID: <53D80930.5010006@gmx.net>
Date: Tue, 29 Jul 2014 22:50:56 +0200
From: Michael Osipov <1983-01-06@gmx.net>
MIME-Version: 1.0
To: Kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi,
my application tries to acquire a GSS credential with a client keytab:
$ KRB_CLIENT_KTNAME=$HOME/client.keytab app
No credential is obtained. At that time, the credential was already
expired. I turned on KRB5_DEBUG and saw that the KRB5 lib checks the
credential cache and stops right there. It does not detect that it has
expired and does not use the client keytab to inquire for a new TGT.
I can provide an obfuscated logfile if necessary.
In my opinion, that is a bug and defeats the entire purpose of the
client keytab.
We do use MIT Kerberos 1.12.1 on HP-UX 11.31.
Michael
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos