Roland C. Dowdeswell wrote: > > > Now if I destroy the expired ticket by "kdestroy > > --credential=host/techno..." > > a new ticket is received and gssapi-with-mic is again successful until > > the new tickets expires again. > > > > I'm beginning to think of a cron job which would destroy hourly all > > the service tickets... all except the TGT. > > To bring the conversation back a little to the original point: > > It appears that Heimdal 1.5 had incorrect behaviour. The ccache code > should skip expired credentials when finding service tickets. This looks > like it was fixed by the following commit: > > commit 0f1ae2d10186afb654df8f50cc78663eb53f27a9 > Author: Nicolas Williams <[email protected]> > Date: Fri Aug 2 18:55:36 2013 -0500 > > Use KRB5_TC_MATCH_TIMES when looking for creds > > So, if you upgrade, this issue will be resolved.
That's good news. I could install the current Heimdal 7.4.0 from the FreeBSD ports collection, however, there were two major problems upgrading when I tried last time: 1. The 7.x kdc did not understand the heimdal.db Kerberos database created by 1.5.2. Are they not compatible? What should I know about this? 2. The utilities in the FreeBSD base system will remain linked to the base system Heimdal libs (/usr/lib/libgssapi* instead of the newer /usr/local/lib/libgssapi*). -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN AS43859
