The new KRB5_GC_REPLACE option to krb5_get_credentials instructs the function not to return the requested service ticket from the credentials cache but instead to acquire a new one from the KDC and replace any existing tickets with a matching service principal. This functionality is required for tools which always want to obtain a service ticket with a full lifetime. If there is an existing service ticket with ten minutes left, krb5_get_credentials with no options will happily return it even though it is about to expire. Some organizations are willing to provide long lived TGTs that use AES but wish to limit the lifetime of afs service tickets to one hour because of their use of single DES.