I ran "kvno" under strace, and found it opened my credential cache
file for reading (and acquired and released an advisory lock, and
closed the file) 22 times.

I think it made two passes over the credentials, once looking for the
requested service and once looking for the TGT, and opening the file
anew for each credential object read.  It also made at least a couple
passes reading out header info.  So it looks like searching for
credentials that are at the end of the file or not present, in a
ccache of n entries, is O(n) file opens and O(n^2) reads.

Looks like krb5_get_credentials or whatever should temporarily set the
ccache flag that causes the file to be kept open.

(And, of course, it's reading each sub-object with a separate read()
call, but we knew that sucked already.)

Ken