https://bugzilla.redhat.com/show_bug.cgi?id=1669607
--- Comment #12 from Robbie Harwood rharwood@redhat.com ---
Expired tickets are only useful to attackers, so there's absolutely no reason to keep them around.
That's... more reductionist than I think is accurate.
krb5 does change behavior based on the presence of tickets, expired or no. For instance, consider a collection with credentials for REDHAT.COM and IPA.REDHAT.COM (in that order). For hostname.redhat.com, the credential for REDHAT.COM will typically be preferred, even if it's expired. Pruning the credential for REDHAT.COM will cause the one for IPA.REDHAT.COM to be used instead. In that case, pruning is desirable (and for this reason, Simo has been in favor of it I believe).
However, consider instead the same setup with REDHAT.COM and FEDORAPROJECT.ORG. Pruning expired REDHAT.COM will cause FEDORAPROJECT.ORG's credential to be attempted. While this will obviously not work (no cross realm there), the errors will be confusing to a user who doesn't realize the REDHAT.COM credential has been expired (and there's nothing krb5 can do about it because the ccache expired it out from under us). And it's potentially even more confusing when cross-realm relationships come into play.
Upstream's position is that the second case is more typical, so in-tree ccache backends (FILE, DIR, MEMORY, etc.) do not prune. KEYRING prunes.
sssd-maintainers@lists.fedoraproject.org