On 03/25/2014 12:37 PM, Arpit Srivastava wrote: [...] > - gss_init_sec_context called again and a new service ticket acquired. > > Now here, the krb5cc cache would keep on accumulating service tickets of > same name but different validity time stamps. > Isn't that superfluous ?
The default ccache format (FILE) is basically append-only, so there is no way to reclaim the space used by old tickets. We could prevent them from being displayed by klist (as I believe Heimdal does), but that wouldn't change the performance characteristics. We have medium-term plans to implement a daemon-backed ccache type like Heimdal has, which could more easily support removing old service tickets when getting new ones. > - Is there any way to renew service tickets the way TGT is renewed > (atleast till the validity of TGT) using GSS/Krb APIs. Per RFC 4120, service tickets can be renewed just like TGTs, by presenting them to the KDC and asking for a new ticket. However: * Heimdal doesn't implement renewing non-TGTs (by my reading of the code), and I'm not sure whether Active Directory implements it. * Whether or not they are TGTs, tickets can only be renewed while they are still valid. So if you got a 20-minute service ticket, used it once, then didn't use it again until it was expired, you wouldn't be able to renew it. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
