Ticket lifetimes > 10 hrs?

Ken Hornstein kenh at cmf.nrl.navy.mil
Fri Nov 15 11:42:00 EST 2002

>I'm not sure that your interpretation of this code snippet is correct:

Always a possibility, I will freely admit :-)

>> until = (request->till == 0) ? kdc_infinity : request->till;
>> enc_tkt_reply.times.endtime =
>>     min(until, min(enc_tkt_reply.times.starttime + server.max_life,
>> 	min(enc_tkt_reply.times.starttime + max_life_for_realm,
>> 	    header_ticket->enc_part2->times.endtime)));
>The line immediately above what you've quoted is:
>  enc_tkt_reply.times.starttime = kdc_time;
>(in other words, "now"; kdc_time is gotten from krb5_timeofday earlier
>in the function).

Hm, I believe you are right.  I was confusing enc_tkt_reply with
header_ticket.  Sorry about that.

>So if it doesn't work in recent MIT versions, either it was fixed in DCE
>and didn't get propagated back to MIT (which, unfortunately, happened on
>occasion) or it got broken in the MIT code since the early 1.1 beta
>days.  I admit that I haven't done a test to verify this with a recent
>MIT drop, since I've set up 24-hour lifetimes for both TGTs and service
>tickets in my local testing config.

However ... it's important to note that it will still cause problems in
the "vanilla" case, since the MIT client code won't fetch a new ticket
from the KDC if the one in the credential cache has expired.  I'm SURE
that used to be a problem (it bit us for a while), and a code
inspection shows me that it's still the case (but hey, as demonstrated
above, I've been wrong before).


More information about the Kerberos mailing list