krb5 commit: Document clock skew tolerance for ticket times

Tom Yu tlyu at mit.edu
Mon Sep 8 21:03:18 EDT 2014 

https://github.com/krb5/krb5/commit/e56f3d43a746c198b1fd1889dc1211b9feedbfc3
commit e56f3d43a746c198b1fd1889dc1211b9feedbfc3
Author: Brett Randall <javabrett at gmail.com>
Date:   Fri Sep 5 11:21:35 2014 +1000

    Document clock skew tolerance for ticket times
    
    KDC and application server checks on ticket start and expiration times
    are subject to clock skew tolerance.  Document this grace period.
    
    [tlyu at mit.edu: edit commit message, adjust wording to conform to
    existing style, document start time clock skew]
    
    ticket: 8008 (new)
    target_version: 1.13
    tags: pullup

 doc/admin/conf_files/krb5_conf.rst |    6 ++++++
 doc/user/user_commands/kinit.rst   |    5 +++++
 2 files changed, 11 insertions(+), 0 deletions(-)

diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
index 2b219fb..6636c2f 100644
--- a/doc/admin/conf_files/krb5_conf.rst
+++ b/doc/admin/conf_files/krb5_conf.rst
@@ -126,6 +126,12 @@ The libdefaults section may contain any of the following relations:
     library will tolerate before assuming that a Kerberos message is
     invalid.  The default value is 300 seconds, or five minutes.
 
+    The clockskew setting is also used when evaluating ticket start
+    and expiration times.  For example, tickets that have reached
+    their expiration time can still be used (and renewed if they are
+    renewable tickets) if they have been expired for a shorter
+    duration than the **clockskew** setting.
+
 **default_ccache_name**
     This relation specifies the name of the default credential cache.
     The default is |ccache|.  This relation is subject to parameter
diff --git a/doc/user/user_commands/kinit.rst b/doc/user/user_commands/kinit.rst
index c2b3b7f..72721c3 100644
--- a/doc/user/user_commands/kinit.rst
+++ b/doc/user/user_commands/kinit.rst
@@ -103,6 +103,11 @@ OPTIONS
     expired ticket cannot be renewed, even if the ticket is still
     within its renewable life.
 
+    Note that renewable tickets that have expired as reported by
+    :ref:`klist(1)` may sometimes be renewed using this option,
+    because the KDC applies a grace period to account for client-KDC
+    clock skew.  See :ref:`krb5.conf(5)` **clockskew** setting.
+
 **-k** [**-i** | **-t** *keytab_file*]
     requests a ticket, obtained from a key in the local host's keytab.
     The location of the keytab may be specified with the **-t**

More information about the cvs-krb5 mailing list