diff --git a/rhel8/kerberos.md b/rhel8/kerberos.md
index 4e7f96ce..ed83e879 100644
--- a/rhel8/kerberos.md
+++ b/rhel8/kerberos.md
@@ -262,7 +262,7 @@ and providing a working TGT in these caches.
 
 I identified so far two cases of the program flow in PAM to manage:
 - **TGT delegation** as done by `sshd` with authentication method `gssapi-with-mic`, where a new cache is created by `sshd` and then filled with the delegated ticket
-- **TGT creation** as done by `sss.so` upon password authentication, where a new TGT is created an placed into the `KCM` managed default cache.
+- **TGT creation** as done by `pam_sss.so` upon password authentication, where a new TGT is created an placed into the `KCM` managed default cache.
 
 Now there is no simple and bullet proof selection of where the TGT ends up in KCM.
 The KCM designated default cache might it be or not.
diff --git a/rhel8/kerberos/kerberos_sshd_tgt_delegation.png b/rhel8/kerberos/kerberos_sshd_tgt_delegation.png
index 11ee1618..54bcaf68 100644
Binary files a/rhel8/kerberos/kerberos_sshd_tgt_delegation.png and b/rhel8/kerberos/kerberos_sshd_tgt_delegation.png differ
diff --git a/rhel8/kerberos/kerberos_sshd_tgt_delegation.puml b/rhel8/kerberos/kerberos_sshd_tgt_delegation.puml
index 8f7802b4..a6c68e37 100644
--- a/rhel8/kerberos/kerberos_sshd_tgt_delegation.puml
+++ b/rhel8/kerberos/kerberos_sshd_tgt_delegation.puml
@@ -17,23 +17,25 @@ end box
 participant "systemd --user" as systemd
 box KCM
     participant "sssd-kcm" as sssd_kcm
-    participant "credential cache KCM:$UID:61555" as default_cache
+    participant "credential cache KCM:$UID:61555" as new_cache
     participant "credential cache KCM:$UID:sitmchszro" as random_cache
 end box
 participant bash
 
 user -> sshd : connects using //ssh//\nwith //GSSAPIDelegateCredentials=yes//\nand authentication method //gssapi-with-mic//
 note right: authentication is done without libpam
-sshd -> sssd_kcm : get default cache
-sshd -> default_cache : place delegated TGT
+sshd -> sssd_kcm : get new cache
+create new_cache
+sssd_kcm -> new_cache : create
+sshd -> new_cache : place delegated TGT
 sshd -> libpam : setup session
 libpam -> pam_systemd : //pam_sm_open_session()//
 create systemd
 pam_systemd -> systemd: start if not running yet
 libpam -> pam_single_kcm_cache : //pam_sm_open_session()//
 pam_single_kcm_cache -> sssd_kcm : iterate all suitable caches to find newest TGT
-note right: the default cache may change in between
-pam_single_kcm_cache -> default_cache: get TGT
+note right: the default cache might be KCM:$UID:61555 or not
+pam_single_kcm_cache -> new_cache: get TGT
 pam_single_kcm_cache -> sssd_kcm : create new random cache
 create random_cache
 sssd_kcm -> random_cache: create