Ticket History #7976: Client keytab does not refresh manually obtained ccaches

# Wed Jul 30 11:14:38 2014 ghudson@mit.edu (Greg Hudson) - Ticket created

Subject:

Client keytab does not refresh manually obtained ccaches

Download (untitled) / with headers
text/plain 338B

The client keytab refresh mechanism only works for ccaches created by the
GSS initiator from the client keytab. There is also no easy way to look
at a ccache and see whether it has a refresh timer on it, since we don't
display ccache config entries in klist.

See also:

http://mailman.mit.edu/pipermail/kerberos/2014-July/020041.html

# Mon Mar 02 22:28:33 2020 ghudson@mit.edu (Greg Hudson) - Status changed from 'open' to 'resolved'

# Mon Mar 02 22:28:33 2020 ghudson@mit.edu (Greg Hudson) - Taken

# Mon Mar 02 22:28:33 2020 ghudson@mit.edu (Greg Hudson) - Correspondence added

Subject:	git commit
From:	ghudson@mit.edu

Download (untitled) / with headers
text/plain 810B

Refresh manually acquired creds from client keytab

If a client keytab is present but credentials are acquired manually,
the credentials would not be refreshed because no refresh_time config
var is set in the cache. Change kg_cred_time_to_refresh() to attempt
a refresh from the client keytab on any credentials which will expire
in the next 30 seconds.

[ghudson@mit.edu: adjused code and added test case]

https://github.com/krb5/krb5/commit/729896467e3c77904666019d6cbbda583ae49b95
Author: Robbie Harwood <rharwood@redhat.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 729896467e3c77904666019d6cbbda583ae49b95
Branch: master
src/lib/gssapi/krb5/acquire_cred.c | 14 +++++++++++---
src/tests/gssapi/t_client_keytab.py | 18 ++++++++++++++++++
2 files changed, 29 insertions(+), 3 deletions(-)

# Mon Nov 23 16:03:23 2020 ghudson@mit.edu (Greg Hudson) - Version_Fixed 1.19 added