* cc_msla.c: Enable purging of the MS Kerberos LSA cache when the TGT

     has expired.  This will force the LSA to get a new TGT instead of
     returning the expired version.

ticket: 2049

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15924 dc483132-0cff-0310-8789-dd5450dbe970

2 files changed, 11 insertions, 6 deletions

diff --git a/src/lib/krb5/ccache/ChangeLog b/src/lib/krb5/ccache/ChangeLog
index bc77c41c1..edfed8589 100644
--- a/src/lib/krb5/ccache/ChangeLog
+++ b/src/lib/krb5/ccache/ChangeLog
@@ -1,5 +1,11 @@
 2003-12-15  Jeffrey Altman <jaltman@mit.edu>
 
+   * cc_msla.c:   Enable purging of the MS Kerberos LSA cache when the TGT
+     has expired.  This will force the LSA to get a new TGT instead of 
+     returning the expired version.
+
+2003-12-15  Jeffrey Altman <jaltman@mit.edu>
+
    * cc_mslsa.c:  Perform a GetMSTGT() call as part of krb5_lcc_start_seq_get
      to ensure that the tgt is refreshed
 
diff --git a/src/lib/krb5/ccache/cc_mslsa.c b/src/lib/krb5/ccache/cc_mslsa.c
index 531fed131..039959a4e 100644
--- a/src/lib/krb5/ccache/cc_mslsa.c
+++ b/src/lib/krb5/ccache/cc_mslsa.c
@@ -489,15 +489,14 @@ PurgeMSTGT(HANDLE LogonHandle, ULONG  PackageId)
     return TRUE;
 }
 
-//
-// #define ENABLE_PURGING
+#define ENABLE_PURGING 1
 // to allow the purging of expired tickets from LSA cache.  This is necessary
 // to force the retrieval of new TGTs.  Microsoft does not appear to retrieve
 // new tickets when they expire.  Instead they continue to accept the expired
-// tickets.  I do not want to enable purging of the LSA cache without testing
-// the side effects in a Windows domain with a machine which has been suspended,
-// removed from the network, and resumed after ticket expiration.
-//
+// tickets.  This is safe to do because the LSA purges its cache when it 
+// retrieves a new TGT (ms calls this renew) but not when it renews the TGT
+// (ms calls this refresh).
+
 static BOOL
 GetMSTGT(HANDLE LogonHandle, ULONG PackageId,KERB_EXTERNAL_TICKET **ticket)
 {