[17029] in Kerberos-V5-bugs
[krbdev.mit.edu #9179] git commit
daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Wed Jul 16 21:12:40 2025
From: "Greg Hudson via RT" <rt-comment@krbdev.mit.edu>
In-Reply-To:
Message-ID: <rt-4.4.3-2-2726308-1752714754-739.9179-4-0@mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #9179":;
Date: Wed, 16 Jul 2025 21:12:34 -0400
MIME-Version: 1.0
Reply-To: rt-comment@krbdev.mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
Wed Jul 16 21:12:34 2025: Request 9179 was acted upon.
Transaction: Ticket created by ghudson@mit.edu
Queue: krb5
Subject: git commit
Owner: ghudson@mit.edu
Requestors:
Status: new
Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=9179 >
Avoid large numbers of refresh_time cache entries
Commit 729896467e3c77904666019d6cbbda583ae49b95 amended
kg_cred_time_to_refresh() to attempt a refresh from a client keytab
when creds are close to expiration, even if no refresh_time config
entry is set (as would be the case if the creds were acquired from a
client keytab in the first place). The added conditional sets a
refresh_time config entry, which is unhelpful as it has no
corresponding check for one. kg_cred_time_to_refresh() is called
before can_get_initial_creds(), so we add a config entry on every
acquire_cred call when the creds are expired or close to expired, even
with no accessible keytab. Remove the set_refresh_time() call to
avoid this inefficient behavior.
https://github.com/krb5/krb5/commit/a656a739721868d6b271c73a0e2785de687c3bc5
Author: Greg Hudson <ghudson@mit.edu>
Commit: a656a739721868d6b271c73a0e2785de687c3bc5
Branch: master
src/lib/gssapi/krb5/acquire_cred.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
