Roland C. Dowdeswell wrote:
> > Now if I destroy the expired ticket by "kdestroy 
> > --credential=host/techno..."
> > a new ticket is received and gssapi-with-mic is again successful until
> > the new tickets expires again.
> > 
> > I'm beginning to think of a cron job which would destroy hourly all
> > the service tickets... all except the TGT.
> To bring the conversation back a little to the original point:
> It appears that Heimdal 1.5 had incorrect behaviour.  The ccache code
> should skip expired credentials when finding service tickets.  This looks
> like it was fixed by the following commit:
>       commit 0f1ae2d10186afb654df8f50cc78663eb53f27a9
>       Author: Nicolas Williams <>
>       Date:   Fri Aug 2 18:55:36 2013 -0500
>           Use KRB5_TC_MATCH_TIMES when looking for creds
> So, if you upgrade, this issue will be resolved.

That's good news. I could install the current Heimdal 7.4.0 from the
FreeBSD ports collection, however, there were two major problems
upgrading when I tried last time:

1. The 7.x kdc did not understand the heimdal.db Kerberos database
created by 1.5.2. Are they not compatible? What should I know about

2. The utilities in the FreeBSD base system will remain linked to the
base system Heimdal libs (/usr/lib/libgssapi* instead of the newer

Victor Sudakov,  VAS4-RIPE, VAS47-RIPN

Reply via email to