kadmin: failing dump/load

Patrik Lundin patrik.lundin at su.se
Mon Nov 13 18:41:31 CET 2017

On 2017-11-07 11:21:45, Roland C. Dowdeswell wrote:
> On Tue, Nov 07, 2017 at 10:55:08AM +0100, Patrik Lundin wrote:
> >
> > Additionally, I see that the prune code basically figures out the most
> > recent keyset timestamp that is older than the ticket maximum lifetime and
> > then removes all keysets with a timestamp older than that one. This
> > means that this too old but most recent keyset will be kept, but since
> > it was calculated to be older than max-lifetime, shouldnt it be removed
> > as well? As it stands now there will always remain at least one keyset
> > (depending on if there are more than one keyset with the same timestamp)
> > too old to be useful.
> > 
> > Would it make sense to alter the code to also remove that most recent
> > (but too old) keyset? The only functional difference of the diff below
> > is the "<" to "<=" change at the bottom, but it felt like it would
> > warrant a more fitting variable name as well:
> It isn't too old, however.  What we are trying to achieve here is
> that we keep all of the keys which might have outstanding tickets in
> someone's ccache.

Ah, I was confused by the "get" calls censoring the returned entries.
I was under the impression hdb_prune_keys() actually modified the database, I
understand now that it only acts as a filter and the actual modification of
the database is performed separately when a new key is set.

It makes sense to leave at least one trailing keyset if they are only trimmed in
conjunction with the principal getting a new key.

Sorry for the confusion on the list!

Patrik Lundin

More information about the Heimdal-discuss mailing list