[16473] in Kerberos_V5_Development
Re: X-CACHECONF in cache type 0504
daemon@ATHENA.MIT.EDU (Tim Alsop)
Thu Nov 18 14:23:32 2010
From: Tim Alsop <Tim@cybersafe.com>
To: Greg Hudson <ghudson@mit.edu>, Frank Cusack <frank+krb@linetwo.net>
Date: Thu, 18 Nov 2010 18:27:46 +0000
Message-ID: <C90B1FE1.276F9%Tim.Alsop@CyberSafe.com>
In-Reply-To: <1290104320.2633.1199.camel@ray>
Content-Language: en-US
MIME-Version: 1.0
Cc: "krbdev@MIT.EDU" <krbdev@mit.edu>, Tim Alsop <tim@cybersafe.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
Greg,
We found that we use MIT 1.8 kinit with Active Directory 2003 domain (not
supporting fast) and then use our own klist to list the credentials cache,
we get the following result.
-bash-3.00$ /opt/mitkrb5-1.8.1/bin/kinit -a
Password for scheruku@DEV.LOCAL:
-bash-3.00$ klist -efK
Cache Type: Kerberos V5 Credentials Cache
Cache File: /krb5/tmp/cc/krb5cc_4001
Cache Version: 0504
Default Principal: scheruku@DEV.LOCAL
Valid From Expires Service
Principal
---------------------------- ----------------------------
-----------------
Thu 18 Nov 2010 17:44:46 IST Fri 19 Nov 2010 03:44:48 IST
krbtgt/DEV.LOCAL@DEV.LOCAL
Renew Until: Fri 19 Nov 2010 17:44:46 IST
Session Key EType: 23 (RC4-HMAC-MD5)
Ticket EType: 23 (RC4-HMAC-MD5)
KVNO from Ticket: 2
Ticket Flags: RIA
Address: 10.100.1.63
Thu 01 Jan 1970 05:30:00 IST Thu 01 Jan 1970 05:30:00 IST
krb5_ccache_conf_data/fast_avail/krbtgt\/DEV.LOCAL\@DEV.LOCAL@X-CACHECONF:
How do you explain this extra cache entry if Active Directory is being
used, which is not supporting FAST ?
Thanks,
Tim
On 18/11/2010 18:18, "Greg Hudson" <ghudson@mit.edu> wrote:
>On Thu, 2010-11-18 at 13:07 -0500, Frank Cusack wrote:
>> I find it interesting that kinit puts this info in the ccache and
>> kinit -R removes it.
>
>That's an implementation imperfection, but it's not terribly important
>just yet. The config entry is used to determine whether the KDC has
>FAST support, and is currently only used when the caller supplies an
>armor ccache to krb5_get_init_creds. We don't really expect people to
>use renewed credentials as armor ccaches.
>
>When we implement client-side FAST TGS support it will probably become
>relevant.
>
>
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
