X-RT-Original-Encoding: utf-8 Content-Transfer-Encoding: binary Content-Disposition: inline References: X-Mailer: MIME-tools 5.507 (Entity 5.507) Content-Type: text/html; charset="utf-8" In-Reply-To: Message-ID: MIME-Version: 1.0 X-RT-Interface: Web RT-Send-CC: Content-Length: 564 * krb5_get_credentials() ordinarily handles both checking the cache and storing into the cache.  For S4U2Self requests, it calls k5_get_proxy_cred_from_kdc(), which stores into the cache but does not check the cache, so repeated krb5_get_credentials() S4U2Self calls will result in duplicate cache entries.  (GSSAPI does its own cache check before making the S4U2Proxy request, and kvno -P uses the krb5_get_credentials_for_proxy() wrapper which does a cache check.  So this is purely an issue with the krb5_get_credentials() API.)