Compatibilty between mixed kerberos release (KDC 1.12 client 1.10).
Benjamin Kaduk
kaduk at MIT.EDU
Wed Jul 29 22:12:35 EDT 2015
On Wed, 29 Jul 2015, Ken Hornstein wrote:
> >Is there any general wisdom out there about mixed KDC/Client versions? Are
> >there concerns around allowing environments drift to where a KDC would be
> >on a later release than the clients?
>
> FWIW, we run a whole bunch of crazy versions of Kerberos, and generally
> there is not an interoperability problem; the protocol is pretty well
> specified and in general everything works fine at that level.
Yes; it is expected that any implementation of the kerberos protocol can
successfully talk to a peer running a different implementation, including
the case where the peers differ only by software version and have a common
lineage.
> >There seems to be a change in default behavior in the 1.12+ where renewable
> >tickets must be specifically requested (RHEL 7 is including the 1.12 as the
> >tested krb release in platform).
>
> This is more of a problem, but I don't consider this an interoperability
> issue.
That sort-of calls to mind
https://github.com/krb5/krb5/commit/4f551a7ec126c52ee1f8fea4c3954015b70987bd,
and makes me wonder what the actual lifetimes in the request are (and the
max permitted by the KDC).
-Ben
More information about the Kerberos
mailing list