So far I haven't been able to find a leak in the replay cache code, and
I can't find records of how previous reports of this kind of issue were
Note that each GSS acceptor credential handle (if it contains a krb5
credential) holds a replay cache handle, which holds an open file
descriptor. So if the application is leaking GSS credential handles,
it would manifest as an fd leak in the process.
krb5-bugs mailing list
[hidden email] https://mailman.mit.edu/mailman/listinfo/krb5-bugs