From: gsu@UU.NET
Date: Wed, 7 Jan 2004 11:11:25 -0500 (EST)
To: Sam Hartman via RT <rt-comment@krbdev.mit.edu>
Cc: gsu@UU.NET, krb5-prs@mit.edu
Subject: Re: [krbdev.mit.edu #2106] bug in krb5_cc_remove_cred API?
In-Reply-To: <rt-2106-9082.19.3778269037553@krbdev.mit.edu>
Message-Id: <Pine.GSO.4.58.0401071059180.29938@galaxy.argfrp.us.uu.net>
References: <rt-2106-9082.19.3778269037553@krbdev.mit.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
RT-Send-Cc: 
Content-Length: 1369


On Tue, 6 Jan 2004, Sam Hartman via RT wrote:

> >>>>> "gsu@UU" == gsu@UU NET via RT <rt-comment@krbdev.mit.edu> writes:
>     gsu@UU> I noticed that if there are more than one credentials for
>     gsu@UU> the same server, krb5_get_credentials returns the first
>     gsu@UU> one found which may be expired.  I have to use
>     gsu@UU> krb5_cc_retrieve_cred with KRB5_TC_MATCH_TIMES option to
>     gsu@UU> get the good credential and send to the server for
>     gsu@UU> authentication.  Since I have to keep getting new service
>     gsu@UU> ticket, I thought it would be nice if I can remove all old
>     gsu@UU> ones.
>
> The logic used by krb5_mk_req in 1.3.x should correctly use only
> unexpired credentials.  Previous versions of Kerberos did not tend to
> do this correctly.
>
>

Is this new logic in release after 1.3.1?

I am looking at the 1.3.1 source tree.  Suppose I have 2 service tickets,
the first one is expired.
krb5_mk_req calls krb5_get_credentials which returns the expired ticket.
krb5_mk_req calls krb5_mk_req_extended with this expired credential.
krb5_mk_req_extended calls krb5_validate_times.
krb5_validate_times returns KRB5KRB_AP_ERR_TKT_EXPIRED.
krb5_mk_req returns KRB5KRB_AP_ERR_TKT_EXPIRED to the caller.

So instead of calling krb5_mk_req, I call krb5_cc_retrieve_cred, then
call krb5_mk_req_extended with the valid credential.