Return-Path: <hartmans@mit.edu>
Received: from mail.suchdamage.org (ec2-52-9-186-167.us-west-1.compute.amazonaws.com [52.9.186.167]) by krbdev.mit.edu (Postfix) with ESMTPS id D43883F059 for <rt@krbdev.mit.edu>; Mon, 24 Apr 2017 18:00:10 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by mail.suchdamage.org (Postfix) with ESMTP id CC5F32176A for <rt@krbdev.mit.edu>; Mon, 24 Apr 2017 18:00:09 -0400 (EDT)
Received: from mail.suchdamage.org ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GiOlxQ2X64oc for <rt@krbdev.mit.edu>; Mon, 24 Apr 2017 18:00:09 -0400 (EDT)
Received: from carter-zimmerman.suchdamage.org (c-174-63-87-87.hsd1.ma.comcast.net [174.63.87.87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) (Authenticated sender: hartmans-laptop) by mail.suchdamage.org (Postfix) with ESMTPSA for <rt@krbdev.mit.edu>; Mon, 24 Apr 2017 18:00:09 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 62DFC8109B; Mon, 24 Apr 2017 18:00:08 -0400 (EDT)
From: Sam Hartman <hartmans@mit.edu>
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #8579] duplicate caching of some cross-realm TGTs
References: <rt-8579-47372.5.11682899178545@krbdev.mit.edu>
Date: Mon, 24 Apr 2017 18:00:08 -0400
In-Reply-To: <rt-8579-47372.5.11682899178545@krbdev.mit.edu> (Greg Hudson via's message of "Mon, 24 Apr 2017 16:35:36 -0400 (EDT)")
Message-ID: <tslzif5lb4n.fsf@suchdamage.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
RT-Send-Cc: 
X-RT-Original-Encoding: iso-8859-1
Content-Length: 396

>>>>> "Greg" == Greg Hudson via RT <rt-comment@krbdev.mit.edu> writes:

    Greg> For client-driven cross-realm scenarios, I believe we should
    Greg> cache the TGTs we ask for, but not alternate TGTs.  If we
    Greg> cache alternate TGTs, we could have the same kind of scenario
    Greg> where we repeatedly cache an alternate TGT because the overall
    Greg> TGS operation fails.

Agreed.