Avoid large numbers of refresh_time cache entries

Commit 729896467e3c77904666019d6cbbda583ae49b95 amended
kg_cred_time_to_refresh() to attempt a refresh from a client keytab
when creds are close to expiration, even if no refresh_time config
entry is set (as would be the case if the creds were acquired from a
client keytab in the first place).  The added conditional sets a
refresh_time config entry, which is unhelpful as it has no
corresponding check for one.  kg_cred_time_to_refresh() is called
before can_get_initial_creds(), so we add a config entry on every
acquire_cred call when the creds are expired or close to expired, even
with no accessible keytab.  Remove the set_refresh_time() call to
avoid this inefficient behavior.

ticket: 9179 (new)
tags: pullup
target_version: 1.22-next

diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
index d49ad07ea4f07ab0122b1926de2d49e3b7244e12..aa1a486dcaa061f4cd4add02f207f5f48f30d748 100644 (file)
--- a/src/lib/gssapi/krb5/acquire_cred.c
+++ b/src/lib/gssapi/krb5/acquire_cred.c
@@ -546,8 +546,7 @@ set_refresh_time(krb5_context context, krb5_ccache ccache,
     krb5_clear_error_message(context);
 }
 
-/* Return true if it's time to refresh cred from the client keytab.  If
- * returning true, avoid retrying for 30 seconds. */
+/* Return true if it's time to refresh cred from the client keytab. */
 krb5_boolean
 kg_cred_time_to_refresh(krb5_context context, krb5_gss_cred_id_rec *cred)
 {
@@ -556,17 +555,18 @@ kg_cred_time_to_refresh(krb5_context context, krb5_gss_cred_id_rec *cred)
     if (krb5_timeofday(context, &now))
         return FALSE;
     soon = ts_incr(now, 30);
+
+    /* If a refresh time is set and has elapsed, attempt a refresh, and set a
+     * new refresh time to avoid retrying for 30 seconds. */
     if (cred->refresh_time != 0 && !ts_after(cred->refresh_time, now)) {
         set_refresh_time(context, cred->ccache, soon);
         return TRUE;
     }
 
-    /* If the creds will expire soon, try to refresh even if they weren't
+    /* If the creds will expire soon, attempt a refresh even if they weren't
      * acquired with a client keytab. */
-    if (ts_after(soon, cred->expire)) {
-        set_refresh_time(context, cred->ccache, soon);
+    if (ts_after(soon, cred->expire))
         return TRUE;
-    }
 
     return FALSE;
 }