From: Tomek Mrugalski <tomek@isc.org>
Date: Fri, 24 Jun 2022 08:22:34 +0000 (+0200)
Subject: [#2247] Rephrased text
X-Git-Tag: Kea-2.1.7~29
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4c638170d4ab993dc8ef65da0ceadf8f998273d7;p=thirdparty%2Fkea.git

[#2247] Rephrased text
---

diff --git a/doc/sphinx/arm/ext-gss-tsig.rst b/doc/sphinx/arm/ext-gss-tsig.rst
index 28a9fd9ed4..f415b64a0d 100644
--- a/doc/sphinx/arm/ext-gss-tsig.rst
+++ b/doc/sphinx/arm/ext-gss-tsig.rst
@@ -806,13 +806,17 @@ The server map parameters are described below:
 
 .. note::
 
-    Even when the client keytab can be specified either in the configuration
-    or the environment variable, leaving the library acquiring and caching
-    client credentials, to use cached client credentials is far better.
-
-    For instance only the read access right is needed to use the cache,
-    to fetch credentials and update the cache requires the write access
-    right too.
+    Generally it is not recommended to specify both the client keytab (``client-keytab``)
+    and the credentials cache (``credentials-cache``), although this may
+    differ between Kerberos implementations. The client keytab is just for
+    the client key and is typically used to specify the key explicitly in more
+    static manner, while the credentials cache can be used to store multiple
+    credentials and can be dynamically updated by the Keberos library. As such,
+    the credentials-cache is more flexible and thus the recommended alternative.
+
+    Also note that only the read access right is needed to use the cache.
+    Fetching credentials and updating the cache requires the write access
+    right.
 
 
 GSS-TSIG Automatic Key Removal