Skip Menu |

Subject: getting cross-realm TGTs makes inefficient use of the credentials cache
in src/lib/krb5/krb/get_creds.c:begin_get_tgt(), we first check if there is a cached copy of the
desired foreign TGT. If not, we fall back to getting the local TGT and walking the full capath
starting from the local realm, ignoring any cached intermediate TGTs if the capath is nontrivial.

Since the windows LSA cache denies access to the session key for cross-realm TGTs as well as
local TGTs, fixing this issue is unlikely to cause any behavior change, so it remains just a slight