Return-Path: Received: from mail.suchdamage.org (ec2-52-9-186-167.us-west-1.compute.amazonaws.com [52.9.186.167]) by krbdev.mit.edu (Postfix) with ESMTPS id D43883F059 for ; Mon, 24 Apr 2017 18:00:10 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by mail.suchdamage.org (Postfix) with ESMTP id CC5F32176A for ; Mon, 24 Apr 2017 18:00:09 -0400 (EDT) Received: from mail.suchdamage.org ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GiOlxQ2X64oc for ; Mon, 24 Apr 2017 18:00:09 -0400 (EDT) Received: from carter-zimmerman.suchdamage.org (c-174-63-87-87.hsd1.ma.comcast.net [174.63.87.87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) (Authenticated sender: hartmans-laptop) by mail.suchdamage.org (Postfix) with ESMTPSA for ; Mon, 24 Apr 2017 18:00:09 -0400 (EDT) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 62DFC8109B; Mon, 24 Apr 2017 18:00:08 -0400 (EDT) From: Sam Hartman To: rt@krbdev.mit.edu Subject: Re: [krbdev.mit.edu #8579] duplicate caching of some cross-realm TGTs References: Date: Mon, 24 Apr 2017 18:00:08 -0400 In-Reply-To: (Greg Hudson via's message of "Mon, 24 Apr 2017 16:35:36 -0400 (EDT)") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain RT-Send-Cc: X-RT-Original-Encoding: iso-8859-1 Content-Length: 396 >>>>> "Greg" == Greg Hudson via RT writes: Greg> For client-driven cross-realm scenarios, I believe we should Greg> cache the TGTs we ask for, but not alternate TGTs. If we Greg> cache alternate TGTs, we could have the same kind of scenario Greg> where we repeatedly cache an alternate TGT because the overall Greg> TGS operation fails. Agreed.