Skip Menu |

Subject: Implement new krb5_get_credentials option: KRB5_GC_REPLACE
The new KRB5_GC_REPLACE option to krb5_get_credentials instructs the
function not to return the requested service ticket from the credentials
cache but instead to acquire a new one from the KDC and replace any
existing tickets with a matching service principal.

This functionality is required for tools which always want to obtain
a service ticket with a full lifetime. If there is an existing service
ticket with ten minutes left, krb5_get_credentials with no options will
happily return it even though it is about to expire. Some organizations
are willing to provide long lived TGTs that use AES but wish to limit
the lifetime of afs service tickets to one hour because of their use of
single DES.