I had asked in an earlier thread about the existence of multiple tickets in my cache based off of a single ticket exchange.
Greg explained the following: "When a client cannot determine the realm of a remote host authoritatively (via krb5.conf [domain_realm] in a typical setup), it tries to use referrals using the client principal realm. Internally, a service principal is represented with an empty realm to mean "we don't know the realm yet." Once the ticket is obtained, it is cached under the canonical service name with realm, and also under the internal "we don't know the realm yet" name so that the referral request does not have to be repeated." However I am also seeing in some scenarios what appears to be the exact same tickets (based on SPN, time, flags, and encryption type) listed multiple times in my cache. Below for instance the ticket with details '06/19/14 11:34:25 06/19/14 11:44:25 ldap/[email protected]' shows up 5 times. Can someone provide an explanation for this? thanks [ROOT\rootuser@centos65-01 ~]$ /opt/pbis/bin/klist -e -f Ticket cache: FILE:/tmp/krb5cc_1071646274 Default principal: [email protected] Valid starting Expires Service principal 06/19/14 11:33:33 06/19/14 12:33:53 krbtgt/[email protected] renew until 06/20/14 11:33:33, Flags: FRIA Etype (skey, tkt): arcfour-hmac, arcfour-hmac 06/19/14 11:33:53 06/19/14 11:43:53 host/[email protected] renew until 06/20/14 11:33:33, Flags: FRA Etype (skey, tkt): aes256-cts-hmac-sha1-96, arcfour-hmac 06/19/14 11:34:25 06/19/14 11:44:25 ldap/[email protected] renew until 06/20/14 11:33:33, Flags: FRAO Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 06/19/14 11:34:25 06/19/14 11:44:25 krbtgt/[email protected] renew until 06/20/14 11:33:33, Flags: FRAO Etype (skey, tkt): arcfour-hmac, arcfour-hmac 06/19/14 11:34:25 06/19/14 11:44:25 ldap/ [email protected] renew until 06/20/14 11:33:33, Flags: FRAO Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 06/19/14 11:34:25 06/19/14 11:44:25 krbtgt/[email protected] renew until 06/20/14 11:33:33, Flags: FRAO Etype (skey, tkt): arcfour-hmac, arcfour-hmac 06/19/14 11:34:25 06/19/14 11:44:25 ldap/ [email protected] renew until 06/20/14 11:33:33, Flags: FRAO Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 06/19/14 11:34:25 06/19/14 11:44:25 krbtgt/[email protected] renew until 06/20/14 11:33:33, Flags: FRAO Etype (skey, tkt): arcfour-hmac, arcfour-hmac 06/19/14 11:34:25 06/19/14 11:44:25 ldap/ [email protected] renew until 06/20/14 11:33:33, Flags: FRAO Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 06/19/14 11:34:25 06/19/14 11:44:25 krbtgt/[email protected] renew until 06/20/14 11:33:33, Flags: FRAO Etype (skey, tkt): arcfour-hmac, arcfour-hmac 06/19/14 11:34:25 06/19/14 11:44:25 ldap/ [email protected] renew until 06/20/14 11:33:33, Flags: FRAO Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 06/19/14 11:34:25 06/19/14 11:44:25 krbtgt/[email protected] renew until 06/20/14 11:33:33, Flags: FRAO Etype (skey, tkt): arcfour-hmac, arcfour-hmac 06/19/14 11:34:25 06/19/14 11:44:25 ldap/ [email protected] renew until 06/20/14 11:33:33, Flags: FRAO Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 06/19/14 12:09:25 06/19/14 12:19:25 ldap/[email protected] renew until 06/20/14 11:33:33, Flags: FRAO Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 06/19/14 12:09:30 06/19/14 12:19:30 krbtgt/[email protected] renew until 06/20/14 11:33:33, Flags: FRAO Etype (skey, tkt): arcfour-hmac, arcfour-hmac 06/19/14 12:09:30 06/19/14 12:19:30 ldap/ [email protected] renew until 06/20/14 11:33:33, Flags: FRAO Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 06/19/14 12:09:30 06/19/14 12:19:30 krbtgt/[email protected] renew until 06/20/14 11:33:33, Flags: FRAO Etype (skey, tkt): arcfour-hmac, arcfour-hmac 06/19/14 12:09:30 06/19/14 12:19:30 ldap/ [email protected] renew until 06/20/14 11:33:33, Flags: FRAO Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 06/19/14 12:09:30 06/19/14 12:19:30 krbtgt/[email protected] renew until 06/20/14 11:33:33, Flags: FRAO Etype (skey, tkt): arcfour-hmac, arcfour-hmac 06/19/14 12:09:30 06/19/14 12:19:30 ldap/ [email protected] renew until 06/20/14 11:33:33, Flags: FRAO Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 06/19/14 12:09:30 06/19/14 12:19:30 krbtgt/[email protected] renew until 06/20/14 11:33:33, Flags: FRAO Etype (skey, tkt): arcfour-hmac, arcfour-hmac 06/19/14 12:09:30 06/19/14 12:19:30 ldap/ [email protected] renew until 06/20/14 11:33:33, Flags: FRAO Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 06/19/14 12:09:30 06/19/14 12:19:30 krbtgt/[email protected] renew until 06/20/14 11:33:33, Flags: FRAO Etype (skey, tkt): arcfour-hmac, arcfour-hmac 06/19/14 12:09:30 06/19/14 12:19:30 ldap/ [email protected] renew until 06/20/14 11:33:33, Flags: FRAO Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
