From: | Todd Lubin <tlubin@janestreet.com> |
Date: | Wed, 1 Aug 2018 09:17:51 -0400 |
Subject: | krb5_get_credentials incorrectly matches user to user ticket |
To: | krb5-bugs@mit.edu |
It seems like there is no way to instruct krb5_get_credentials not to use a cached user-to-user ticket for a particular service principal.
When you pass in KRB5_GC_USER_USER, there is care taken to ensure only a user-to-user ticket is selected. However, the lack of that flag doesn't prevent a user-to-user ticket from being selected from the cache.
It seems like either:
1) the lack of KRB5_GC_USER_USER should only match standard tickets
2) there should be some other flag introduced to express this desire