Index: source/libsmb/clikrb5.c
===================================================================
--- source/libsmb/clikrb5.c	(revision 190)
+++ source/libsmb/clikrb5.c	(working copy)
@@ -249,6 +249,7 @@
 	krb5_creds 		* credsp;
 	krb5_creds 		  creds;
 	krb5_data in_data;
+	int expiry_offset = 10;
 	
 	retval = krb5_parse_name(context, principal, &server);
 	if (retval) {
@@ -270,6 +271,7 @@
 		goto cleanup_creds;
 	}
 
+get_ticket:
 	if ((retval = krb5_get_credentials(context, 0,
 					   ccache, &creds, &credsp))) {
 		DEBUG(1,("krb5_get_credentials failed for %s (%s)\n", 
@@ -285,6 +287,31 @@
 		krb5_set_real_time(context, t + time_offset + 1, 0);
 	}
 
+	/* cope with expired tickets */
+	if ( (unsigned)credsp->times.endtime - expiry_offset < time(NULL) ) {
+		
+		DEBUG(3,("Ticket [%s] in ccache [%s] expires / expired at [%s] (%d).\n", 
+			principal, krb5_cc_default_name(context),
+			http_timestring((unsigned)credsp->times.endtime), (unsigned)credsp->times.endtime));
+
+		/* we currently can not delete credentials from heimdal's file-ccaches */
+		if ( (StrCaseCmp(krb5_cc_get_type(context, ccache), "FILE"))) {
+
+			retval = krb5_cc_remove_cred(context, ccache, 0, credsp);
+			if (retval) {
+				DEBUG(1,("krb5_cc_remove_cred failed for %s (%s)\n", principal, error_message(retval)));
+				goto cleanup_creds;
+			}
+			goto get_ticket;
+		}
+
+		DEBUG(3,("Tickets can currently not be re-obtained for file-based ccaches.\n"));
+	} 
+	
+	DEBUG(10,("Ticket [%s] in ccache [%s] is valid until [%s] (%d)\n",
+		principal, krb5_cc_default_name(context),
+		http_timestring((unsigned)credsp->times.endtime), (unsigned)credsp->times.endtime));
+
 	in_data.length = 0;
 	retval = krb5_mk_req_extended(context, auth_context, ap_req_options, 
 				      &in_data, credsp, outbuf);