[36209] in Kerberos
klist shows same ticket multiple times
daemon@ATHENA.MIT.EDU (Ben H)
Thu Jun 19 13:25:48 2014
MIME-Version: 1.0
Date: Thu, 19 Jun 2014 12:25:31 -0500
Message-ID: <CAAd7auZay8D3M-URT_5u8bxf1XkxrLNyiPib6ATSUiKJ_5tiUA@mail.gmail.com>
From: Ben H <bhendin@gmail.com>
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
I had asked in an earlier thread about the existence of multiple tickets in
my cache based off of a single ticket exchange.
Greg explained the following:
"When a client cannot determine the realm of a remote host
authoritatively (via krb5.conf [domain_realm] in a typical setup), it
tries to use referrals using the client principal realm. Internally, a
service principal is represented with an empty realm to mean "we don't
know the realm yet." Once the ticket is obtained, it is cached under
the canonical service name with realm, and also under the internal "we
don't know the realm yet" name so that the referral request does not
have to be repeated."
However I am also seeing in some scenarios what appears to be the exact
same tickets (based on SPN, time, flags, and encryption type) listed
multiple times in my cache.
Below for instance the ticket with details '06/19/14 11:34:25 06/19/14
11:44:25 ldap/SPP-VP-DC01.spptech.com@SPPTECH.COM' shows up 5 times.
Can someone provide an explanation for this?
thanks
[ROOT\rootuser@centos65-01 ~]$ /opt/pbis/bin/klist -e -f
Ticket cache: FILE:/tmp/krb5cc_1071646274
Default principal: rootuser@ROOT.LOCAL
Valid starting Expires Service principal
06/19/14 11:33:33 06/19/14 12:33:53 krbtgt/ROOT.LOCAL@ROOT.LOCAL
renew until 06/20/14 11:33:33, Flags: FRIA
Etype (skey, tkt): arcfour-hmac, arcfour-hmac
06/19/14 11:33:53 06/19/14 11:43:53 host/centos65-01.root.local@ROOT.LOCAL
renew until 06/20/14 11:33:33, Flags: FRA
Etype (skey, tkt): aes256-cts-hmac-sha1-96, arcfour-hmac
06/19/14 11:34:25 06/19/14 11:44:25
ldap/ROOT-VP-DC01.root.local@ROOT.LOCAL
renew until 06/20/14 11:33:33, Flags: FRAO
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
06/19/14 11:34:25 06/19/14 11:44:25 krbtgt/SPPTECH.COM@ROOT.LOCAL
renew until 06/20/14 11:33:33, Flags: FRAO
Etype (skey, tkt): arcfour-hmac, arcfour-hmac
06/19/14 11:34:25 06/19/14 11:44:25 ldap/
SPP-VP-DC01.spptech.com@SPPTECH.COM
renew until 06/20/14 11:33:33, Flags: FRAO
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
06/19/14 11:34:25 06/19/14 11:44:25 krbtgt/SPPTECH.COM@ROOT.LOCAL
renew until 06/20/14 11:33:33, Flags: FRAO
Etype (skey, tkt): arcfour-hmac, arcfour-hmac
06/19/14 11:34:25 06/19/14 11:44:25 ldap/
SPP-VP-DC01.spptech.com@SPPTECH.COM
renew until 06/20/14 11:33:33, Flags: FRAO
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
06/19/14 11:34:25 06/19/14 11:44:25 krbtgt/SPPTECH.COM@ROOT.LOCAL
renew until 06/20/14 11:33:33, Flags: FRAO
Etype (skey, tkt): arcfour-hmac, arcfour-hmac
06/19/14 11:34:25 06/19/14 11:44:25 ldap/
SPP-VP-DC01.spptech.com@SPPTECH.COM
renew until 06/20/14 11:33:33, Flags: FRAO
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
06/19/14 11:34:25 06/19/14 11:44:25 krbtgt/SPPTECH.COM@ROOT.LOCAL
renew until 06/20/14 11:33:33, Flags: FRAO
Etype (skey, tkt): arcfour-hmac, arcfour-hmac
06/19/14 11:34:25 06/19/14 11:44:25 ldap/
SPP-VP-DC01.spptech.com@SPPTECH.COM
renew until 06/20/14 11:33:33, Flags: FRAO
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
06/19/14 11:34:25 06/19/14 11:44:25 krbtgt/SPPTECH.COM@ROOT.LOCAL
renew until 06/20/14 11:33:33, Flags: FRAO
Etype (skey, tkt): arcfour-hmac, arcfour-hmac
06/19/14 11:34:25 06/19/14 11:44:25 ldap/
SPP-VP-DC01.spptech.com@SPPTECH.COM
renew until 06/20/14 11:33:33, Flags: FRAO
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
06/19/14 12:09:25 06/19/14 12:19:25
ldap/ROOT-VP-DC01.root.local@ROOT.LOCAL
renew until 06/20/14 11:33:33, Flags: FRAO
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
06/19/14 12:09:30 06/19/14 12:19:30 krbtgt/SPPTECH.COM@ROOT.LOCAL
renew until 06/20/14 11:33:33, Flags: FRAO
Etype (skey, tkt): arcfour-hmac, arcfour-hmac
06/19/14 12:09:30 06/19/14 12:19:30 ldap/
SPP-VP-DC01.spptech.com@SPPTECH.COM
renew until 06/20/14 11:33:33, Flags: FRAO
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
06/19/14 12:09:30 06/19/14 12:19:30 krbtgt/SPPTECH.COM@ROOT.LOCAL
renew until 06/20/14 11:33:33, Flags: FRAO
Etype (skey, tkt): arcfour-hmac, arcfour-hmac
06/19/14 12:09:30 06/19/14 12:19:30 ldap/
SPP-VP-DC01.spptech.com@SPPTECH.COM
renew until 06/20/14 11:33:33, Flags: FRAO
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
06/19/14 12:09:30 06/19/14 12:19:30 krbtgt/SPPTECH.COM@ROOT.LOCAL
renew until 06/20/14 11:33:33, Flags: FRAO
Etype (skey, tkt): arcfour-hmac, arcfour-hmac
06/19/14 12:09:30 06/19/14 12:19:30 ldap/
SPP-VP-DC01.spptech.com@SPPTECH.COM
renew until 06/20/14 11:33:33, Flags: FRAO
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
06/19/14 12:09:30 06/19/14 12:19:30 krbtgt/SPPTECH.COM@ROOT.LOCAL
renew until 06/20/14 11:33:33, Flags: FRAO
Etype (skey, tkt): arcfour-hmac, arcfour-hmac
06/19/14 12:09:30 06/19/14 12:19:30 ldap/
SPP-VP-DC01.spptech.com@SPPTECH.COM
renew until 06/20/14 11:33:33, Flags: FRAO
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
06/19/14 12:09:30 06/19/14 12:19:30 krbtgt/SPPTECH.COM@ROOT.LOCAL
renew until 06/20/14 11:33:33, Flags: FRAO
Etype (skey, tkt): arcfour-hmac, arcfour-hmac
06/19/14 12:09:30 06/19/14 12:19:30 ldap/
SPP-VP-DC01.spptech.com@SPPTECH.COM
renew until 06/20/14 11:33:33, Flags: FRAO
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
