From b7e699597e507da9fa808a6b135fd3f6b7afb629 Mon Sep 17 00:00:00 2001 From: Jeffrey Altman Date: Mon, 17 Jun 2024 11:53:36 -0400 Subject: [PATCH] krb5: MIT krb5 FILE ccache remove cred compatibility MIT commit d3b39a8bac6206b5ea78b0bf6a2958c1df0b0dd5 implemented krb5_cc_remove_cred() for FILE ccaches by setting endtime to zero and authtime to minus one and then filtering out those credentials from get_next(). This change sets "authtime = -1" for the removed cred to permit MIT krb5 to ignore removed credentials from a shared FILE ccache. MIT commit 4c0838bb4c232866b95c9f2f72a55bf77cfc1308 modified the cred_removed() check to restore compatibility with Heimdal. --- lib/krb5/fcache.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/krb5/fcache.c b/lib/krb5/fcache.c index adf22eb72..0e6a61244 100644 --- a/lib/krb5/fcache.c +++ b/lib/krb5/fcache.c @@ -1088,6 +1088,9 @@ cred_delete(krb5_context context, */ cred->times.endtime = 0; + /* For compatibility with MIT d3b39a8bac6206b5ea78b0bf6a2958c1df0b0dd5 */ + cred->times.authtime = -1; + /* ...except for config creds because we don't check their endtimes */ if (srealm && strcmp(srealm, "X-CACHECONF:") == 0) { ret = krb5_principal_set_realm(context, cred->server, "X-RMED-CONF:");