On Tue, 6 Jan 2004, Sam Hartman via RT wrote:

>     gsu> So there is no way that I can remove any expired credential?
>
> Correct, but it is probably not a major problem; expired credentials
> will not be used.  If your cache is getting too full, remove all the
> credentials and get a new TGT.
>

I noticed that if there are more than one credentials for the same server,
krb5_get_credentials returns the first one found which may be expired.
I have to use krb5_cc_retrieve_cred with KRB5_TC_MATCH_TIMES option
to get the good credential and send to the server for authentication.
Since I have to keep getting new service ticket, I thought it would be
nice if I can remove all old ones.

Thank you for the info.