Received: from luminous.mit.edu (LUMINOUS.MIT.EDU [18.101.1.61]) by krbdev.mit.edu (8.9.3p2) with ESMTP id TAA11412; Tue, 6 Jan 2004 19:42:43 -0500 (EST)
Received: by luminous.mit.edu (Postfix, from userid 1000) id B58ED7661E; Tue,  6 Jan 2004 19:41:48 -0500 (EST)
To: rt@krbdev.mit.edu
Cc: 
Subject: Re: [krbdev.mit.edu #2106] bug in krb5_cc_remove_cred API?
References: <rt-2106-9073.9.87191050294271@krbdev.mit.edu>
From: Sam Hartman <hartmans@mit.edu>
Date: Tue, 06 Jan 2004 19:41:48 -0500
In-Reply-To: <rt-2106-9073.9.87191050294271@krbdev.mit.edu> (rt-comment@krbdev.mit.edu's message of "Tue, 6 Jan 2004 17:14:37 -0500 (EST)")
Message-Id: <871xqcvbcj.fsf@luminous.mit.edu>
User-Agent: Gnus/5.1002 (Gnus v5.10.2) Emacs/21.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
RT-Send-Cc: 
X-RT-Original-Encoding: us-ascii
Content-Length: 715

>>>>> "gsu@UU" == gsu@UU NET via RT <rt-comment@krbdev.mit.edu> writes:
    gsu@UU> I noticed that if there are more than one credentials for
    gsu@UU> the same server, krb5_get_credentials returns the first
    gsu@UU> one found which may be expired.  I have to use
    gsu@UU> krb5_cc_retrieve_cred with KRB5_TC_MATCH_TIMES option to
    gsu@UU> get the good credential and send to the server for
    gsu@UU> authentication.  Since I have to keep getting new service
    gsu@UU> ticket, I thought it would be nice if I can remove all old
    gsu@UU> ones.

The logic used by krb5_mk_req in 1.3.x should correctly use only
unexpired credentials.  Previous versions of Kerberos did not tend to
do this correctly.