On Wed, Aug 09, 2017 at 09:58:04PM +0700, Victor Sudakov wrote:

> Now if I destroy the expired ticket by "kdestroy --credential=host/techno..."
> a new ticket is received and gssapi-with-mic is again successful until
> the new tickets expires again.
> I'm beginning to think of a cron job which would destroy hourly all
> the service tickets... all except the TGT.

To bring the conversation back a little to the original point:

It appears that Heimdal 1.5 had incorrect behaviour.  The ccache code
should skip expired credentials when finding service tickets.  This looks
like it was fixed by the following commit:

        commit 0f1ae2d10186afb654df8f50cc78663eb53f27a9
        Author: Nicolas Williams <n...@cryptonector.com>
        Date:   Fri Aug 2 18:55:36 2013 -0500

            Use KRB5_TC_MATCH_TIMES when looking for creds

So, if you upgrade, this issue will be resolved.

    Roland C. Dowdeswell

Reply via email to