[Freeipa-devel] Notes on server to server sasl
Simo Sorce
ssorce at redhat.com
Fri Oct 31 16:21:11 UTC 2008
On Fri, 2008-10-31 at 09:18 -0600, Rich Megginson wrote:
> > The credential cache contains the expiration date of the credentials,
> > you should be able to check without contacting the KDC (and we do not
> > want to contact the KDC at all, unless we need to acquire a ticket).
> >
> So if current datetime < cred expiration datetime, then the creds are
> ok? No other validation needs to be done?
Usually it is safe to assume so.
The only exception is someone generating a new key for the service, and
replacing the service keytab instead of appending to it (so that the
older key material with the previous kvno is not longer available to the
server which cannot verify older credentials still valid).
In this case you should get back an auth error. You may decide at this
point to discard the current ticket and try to acquire a new one.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list