[17036] in Kerberos-V5-bugs
[krbdev.mit.edu #9179] git commit
daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Mon Aug 4 17:44:15 2025
From: "Greg Hudson via RT" <rt@krbdev.mit.edu>
In-Reply-To:
Message-ID: <rt-4.4.3-2-1708011-1754343849-112.9179-5-0@mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #9179":;
Date: Mon, 04 Aug 2025 17:44:09 -0400
MIME-Version: 1.0
Reply-To: rt@krbdev.mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
<URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=9179 >
Avoid large numbers of refresh_time cache entries
Commit 729896467e3c77904666019d6cbbda583ae49b95 amended
kg_cred_time_to_refresh() to attempt a refresh from a client keytab
when creds are close to expiration, even if no refresh_time config
entry is set (as would be the case if the creds were acquired from a
client keytab in the first place). The added conditional sets a
refresh_time config entry, which is unhelpful as it has no
corresponding check for one. kg_cred_time_to_refresh() is called
before can_get_initial_creds(), so we add a config entry on every
acquire_cred call when the creds are expired or close to expired, even
with no accessible keytab. Remove the set_refresh_time() call to
avoid this inefficient behavior.
(cherry picked from commit a656a739721868d6b271c73a0e2785de687c3bc5)
https://github.com/krb5/krb5/commit/4bb7cb8978450119c14c4168f67b17654ba1419f
Author: Greg Hudson <ghudson@mit.edu>
Commit: 4bb7cb8978450119c14c4168f67b17654ba1419f
Branch: krb5-1.22
src/lib/gssapi/krb5/acquire_cred.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
