Skip Menu |
 

Subject: Client keytab does not refresh manually obtained ccaches
The client keytab refresh mechanism only works for ccaches created by the
GSS initiator from the client keytab. There is also no easy way to look
at a ccache and see whether it has a refresh timer on it, since we don't
display ccache config entries in klist.

See also:

http://mailman.mit.edu/pipermail/kerberos/2014-July/020041.html
Subject: git commit
From: ghudson@mit.edu

Refresh manually acquired creds from client keytab

If a client keytab is present but credentials are acquired manually,
the credentials would not be refreshed because no refresh_time config
var is set in the cache. Change kg_cred_time_to_refresh() to attempt
a refresh from the client keytab on any credentials which will expire
in the next 30 seconds.

[ghudson@mit.edu: adjused code and added test case]

https://github.com/krb5/krb5/commit/729896467e3c77904666019d6cbbda583ae49b95
Author: Robbie Harwood <rharwood@redhat.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 729896467e3c77904666019d6cbbda583ae49b95
Branch: master
src/lib/gssapi/krb5/acquire_cred.c | 14 +++++++++++---
src/tests/gssapi/t_client_keytab.py | 18 ++++++++++++++++++
2 files changed, 29 insertions(+), 3 deletions(-)