According to strace ... 1.2.8 app server with named credential - opens an rcache. 1.3.1 app server with no credential - no evidence of rcache being opened.
wrt to krb5_rd_req - it looks like rcache is obtained only if auth_context_flags includes KRB5_AUTH_CONTEXT_DO_TIME. accept_sec_context clearly sets auth_context with KRB5_AUTH_CONTEXT_DO_SEQUENCE. What am I missing? >>>>> "Sam" == Sam Hartman <[EMAIL PROTECTED]> writes: >>>>> "Cesar" == Cesar Garcia <[EMAIL PROTECTED]> writes: Cesar> wrt to gssapi and 1.3.1 ... Cesar> Since we're pointing out lack of replay cache detection, Cesar> note that if acquiring creds for GSS_C_NO_NAME, then no Cesar> replay cache is used. (specifically looking at 1.3.1 - Cesar> lib/gssapi/krb5/acquire_cred.c) Sam> I think that's false. I believe that krb5_rd_req will end up setting Sam> up a rcache later. Sam> I don't have time to go look through the code now though, but I wrote Sam> it and at least intended that a replay cache would get used even Sam> though it does not get stored in the GSSAPI credentials structure. ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
