On 05/12/2017 03:49 PM, Rahul G wrote: > I observed that when a user from a sub sub domain (three levels down from > top) makes a request, *init_sec_context *function* (which eventually calls > get_creds.c)* > stores the TGT of the sub sub domain in the ccache. > Problem is, when a another user from the same domain makes a request, it > stores the same TGT again and > the cache now has 2 copies of the same TGT, and this continues for every > user thereby increasing the memory used by the process.
This sounds like a variant of http://krbdev.mit.edu/rt/Ticket/Display.html?id=8579 where the KDC response is an alternate TGT. We recently committed a change to master to fix that problem: https://github.com/krb5/krb5/commit/1dc619624421002b1e64d3b8c7e270508381b3e6 Unfortunately we don't put out KfW releases very often, but if you're prepared to rebuild KfW from source code you could apply that patch. _______________________________________________ kfwdev mailing list kfwdev@mit.edu http://mailman.mit.edu/mailman/listinfo/kfwdev