On Tue, 6 Jan 2004, Sam Hartman via RT wrote: > >>>>> "gsu@UU" == gsu@UU NET via RT writes: > gsu@UU> I noticed that if there are more than one credentials for > gsu@UU> the same server, krb5_get_credentials returns the first > gsu@UU> one found which may be expired. I have to use > gsu@UU> krb5_cc_retrieve_cred with KRB5_TC_MATCH_TIMES option to > gsu@UU> get the good credential and send to the server for > gsu@UU> authentication. Since I have to keep getting new service > gsu@UU> ticket, I thought it would be nice if I can remove all old > gsu@UU> ones. > > The logic used by krb5_mk_req in 1.3.x should correctly use only > unexpired credentials. Previous versions of Kerberos did not tend to > do this correctly. > > Is this new logic in release after 1.3.1? I am looking at the 1.3.1 source tree. Suppose I have 2 service tickets, the first one is expired. krb5_mk_req calls krb5_get_credentials which returns the expired ticket. krb5_mk_req calls krb5_mk_req_extended with this expired credential. krb5_mk_req_extended calls krb5_validate_times. krb5_validate_times returns KRB5KRB_AP_ERR_TKT_EXPIRED. krb5_mk_req returns KRB5KRB_AP_ERR_TKT_EXPIRED to the caller. So instead of calling krb5_mk_req, I call krb5_cc_retrieve_cred, then call krb5_mk_req_extended with the valid credential.