diff --git a/rhel8/kerberos.md b/rhel8/kerberos.md
index f9c34947..c3c8fe1e 100644
--- a/rhel8/kerberos.md
+++ b/rhel8/kerberos.md
@@ -217,6 +217,21 @@ Using a random, non-existing cache name resulted in a failure, not in the creati
 So that self made PAM module would need to be extended to also create the cache.
 I assumed that the "End of PAM" solution would be easier to implement, so I opted for that.
 
+
+### Only One Cache
+The `sssd-kcm` limits the number of caches by default to 64, but that can be changed to 1 with the `max_uid_ccaches`.
+So there would be only one cache, shared by all sessions, but at least the `KCM` cannot serve anything but the latest.
+
+I did not exactly test this, but I tested what happens when all 64 caches are used up.
+
+It was not possible any more to authenticate on the lock screen:
+
+```
+Okt 05 14:57:11 lxdev01.psi.ch krb5_child[43689]: Internal credentials cache error
+```
+So this causes a denial of service problem, we need to deal with somehow, e.g. by regulary removing expired caches.
+
+
 ## Options for Next Steps
 
 ### Try out Start of PAM