524 problems with 1.3.4, and historical issues
Daniel Henninger
daniel at unity.ncsu.edu
Wed Jul 14 10:37:55 EDT 2004
Howdy folk,
For quite some time now, we have had to make 'minor' hacks to the Kerberos
base code to get it to behave nicely in our environment. In the 1.2.*
series, the hack was basically to take the following:
if (lifetime > 127) {
/* use the CMU algorithm instead: */
long *clist = cmu_seconds;
while(*clist && *clist < deltatime) clist++;
lifetime = 128 + (clist - cmu_seconds);
}
out of src/krb524/cnv_tkt_skey.c. This code caused us to get krb4 tickets
that had far shorter lifetimes than the "rest of the tickets". (tgts and
such) One easy place to notice this was with Zephyrs.
So now we are attempting to move to 1.3.4. I see that specific piece of
code no longer exists. Now, instead of getting a shorter zephyr ticket, I
get:
ghidora 5.8 [10:33am] <1> ...src> zwrite daniel
zwrite: Kerberos error: time is out of bounds while sending notice to daniel
?? The rest of my tickets seem fine at the moment:
Ticket cache: FILE:/tmp/krb5cc_daniel_:0.1
Default principal: daniel at EOS.NCSU.EDU
Valid starting Expires Service principal
07/14/04 10:26:12 07/15/04 07:41:12 krbtgt/EOS.NCSU.EDU at EOS.NCSU.EDU
07/14/04 10:26:13 07/15/04 07:41:12 afs/unity.ncsu.edu at EOS.NCSU.EDU
07/14/04 10:26:14 07/15/04 07:41:12 afs/eos.ncsu.edu at EOS.NCSU.EDU
07/14/04 10:26:14 07/15/04 07:41:12 afs/bp.ncsu.edu at EOS.NCSU.EDU
07/14/04 10:28:34 07/15/04 07:41:12 imap/uni00map.unity.ncsu.edu at EOS.NCSU.EDU
07/14/04 10:28:36 07/15/04 07:41:12 imap/uni10map.unity.ncsu.edu at EOS.NCSU.EDU
Kerberos 4 ticket cache: /tmp/tkt_daniel_:0.1
Principal: daniel at EOS.NCSU.EDU
Issued Expires Principal
07/14/04 10:26:12 07/15/04 07:41:12 krbtgt.EOS.NCSU.EDU at EOS.NCSU.EDU
So I attempted to define "SHORT_LIFETIME" in
lib/src/krb5/krb/v4lifetime.c, after looking at the code. I thought I'd
give it a whirl. That kills the out of bounds error message, but doesn't
give me a full length ticket:
07/14/04 10:11:39 07/14/04 21:46:39 zephyr.zephyr at EOS.NCSU.EDU
So my question here is, what are we doing different from you all up in
MIT? Why are we running into these issues and you are not? Am I
overlooking some sort of configuration problem? Do you all not use krb4
at all anymore? Thanks!
Daniel
--
/\\\----------------------------------------------------------------------///\
\ \\\ Daniel Henninger http://www.vorpalcloud.org/ /// /
\_\\\ North Carolina State University - Systems Programmer ///_/
\\\ Information Technology <IT> ///
"""--------------------------------------------------------------"""
More information about the Kerberos
mailing list