[krbdev.mit.edu #8925] [Comment] qualify_shortname default can be harmful in LAN setups

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[krbdev.mit.edu #8925] [Comment] qualify_shortname default can be harmful in LAN setups

Greg Hudson via RT

This is a comment.  It is not sent to the Requestor(s):

* krb5_get_credentials() ordinarily handles both checking the cache and storing
into the cache. For S4U2Self requests, it calls k5_get_proxy_cred_from_kdc(),
which stores into the cache but does not check the cache, so repeated
krb5_get_credentials() S4U2Self calls will result in duplicate cache entries.
(GSSAPI does its own cache check before making the S4U2Proxy request, and kvno
-P uses the krb5_get_credentials_for_proxy() wrapper which does a cache check.
So this is purely an issue with the krb5_get_credentials() API.)

krb5-bugs mailing list
[hidden email]