Ticket lifetimes > 10 hrs?
Ken Hornstein
kenh at cmf.nrl.navy.mil
Fri Nov 15 11:42:00 EST 2002
>I'm not sure that your interpretation of this code snippet is correct:
Always a possibility, I will freely admit :-)
>> until = (request->till == 0) ? kdc_infinity : request->till;
>> enc_tkt_reply.times.endtime =
>> min(until, min(enc_tkt_reply.times.starttime + server.max_life,
>> min(enc_tkt_reply.times.starttime + max_life_for_realm,
>> header_ticket->enc_part2->times.endtime)));
>
>The line immediately above what you've quoted is:
>
> enc_tkt_reply.times.starttime = kdc_time;
>
>(in other words, "now"; kdc_time is gotten from krb5_timeofday earlier
>in the function).
Hm, I believe you are right. I was confusing enc_tkt_reply with
header_ticket. Sorry about that.
>So if it doesn't work in recent MIT versions, either it was fixed in DCE
>and didn't get propagated back to MIT (which, unfortunately, happened on
>occasion) or it got broken in the MIT code since the early 1.1 beta
>days. I admit that I haven't done a test to verify this with a recent
>MIT drop, since I've set up 24-hour lifetimes for both TGTs and service
>tickets in my local testing config.
However ... it's important to note that it will still cause problems in
the "vanilla" case, since the MIT client code won't fetch a new ticket
from the KDC if the one in the credential cache has expired. I'm SURE
that used to be a problem (it bit us for a while), and a code
inspection shows me that it's still the case (but hey, as demonstrated
above, I've been wrong before).
--Ken
More information about the Kerberos
mailing list