On Wed, Aug 09, 2017 at 03:01:16PM -0400, Jeffrey Altman wrote: > I hope this is an unnecessary question, but will all Kerberos libraries > that parse the file cache know to skip the expired entries and keep > searching? Or are there implementations that will only return the first > service principal match?
The krb5 API used, krb5_cc_retrieve_cred(), supports this going back a long time in MIT, and probably in Heimdal, but you have to ask for this by including KRB5_TC_MATCH_TIMES in the options flags argument. Nico --