The subject has an in-memory private Credentials set, which is used to store TGTs and SGTs.The key difference is: The first GSSContext established will query the subject's private Credentials for a SGT, not find one, then request a SGT from the KDC.I use "klist" to view the contents of the credential cache.My clients are running on a Lubuntu 17.04 Virtual Machine, using Free IPA as the Kerberos environment. Question 1: Does the Java GSS-API not save service tickets to the credentials cache? Question 2: Is there any downside to the fact that the service ticket is not saved to the cache?
suggest that is not the case, but this Microsoft technote says "The client does not need to go back to the KDC each time it wants access to this particular server". /usr/bin/python3.5 import gssapi from io import Bytes IO server_name = 'HTTP/[email protected] COM", null); Oid krb5Oid = new Oid("1.2.840.113518.104.22.168"); //use default credentials context = manager.create Context(server Name, krb5Oid, null, GSSContext.
Yes, existing Service Tickets (SGTs) that may be in the credentials cache are not being loaded, nor are any newly acquired SGTs written back to the cache, however the KDC is not be constantly hammered (the real problem).
Both pure GSS, and GSS with JAAS use a client principal subject.
The relevant code is Krb5Sec Context() / Krb Ticket() / Subject Comber.find()/find Aux().
However as SGTs were never loaded in step 1) an SGT will not be found!