[16582] in Kerberos-V5-bugs
[krbdev.mit.edu #8925] [Comment] qualify_shortname default can be
daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Wed Jul 15 15:56:53 2020
From: "Greg Hudson via RT" <rt-comment@krbdev.mit.edu>
In-Reply-To: <rt-4.4.4-70196-1594754825-647.8925-8-0@mit.edu>
Message-ID: <rt-4.4.4-26916-1594842995-85.8925-8-0@mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #8925":;
Date: Wed, 15 Jul 2020 15:56:35 -0400
MIME-Version: 1.0
Reply-To: rt-comment@krbdev.mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
https://krbdev.mit.edu/rt/Ticket/Display.html?id=8925
This is a comment. It is not sent to the Requestor(s):
* krb5_get_credentials() ordinarily handles both checking the cache and storing
into the cache. For S4U2Self requests, it calls k5_get_proxy_cred_from_kdc(),
which stores into the cache but does not check the cache, so repeated
krb5_get_credentials() S4U2Self calls will result in duplicate cache entries.
(GSSAPI does its own cache check before making the S4U2Proxy request, and kvno
-P uses the krb5_get_credentials_for_proxy() wrapper which does a cache check.
So this is purely an issue with the krb5_get_credentials() API.)
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
