524 problems with 1.3.4, and historical issues

Daniel Henninger daniel at unity.ncsu.edu
Wed Jul 14 10:37:55 EDT 2004 

Howdy folk,

For quite some time now, we have had to make 'minor' hacks to the Kerberos 
base code to get it to behave nicely in our environment.  In the 1.2.* 
series, the hack was basically to take the following:
           if (lifetime > 127) {
               /* use the CMU algorithm instead: */
               long *clist = cmu_seconds;
               while(*clist && *clist < deltatime) clist++;
               lifetime = 128 + (clist - cmu_seconds);
           }
out of src/krb524/cnv_tkt_skey.c.  This code caused us to get krb4 tickets 
that had far shorter lifetimes than the "rest of the tickets".  (tgts and 
such)  One easy place to notice this was with Zephyrs.

So now we are attempting to move to 1.3.4.  I see that specific piece of 
code no longer exists.  Now, instead of getting a shorter zephyr ticket, I 
get:
ghidora 5.8 [10:33am] <1> ...src> zwrite daniel
zwrite: Kerberos error: time is out of bounds while sending notice to daniel


??  The rest of my tickets seem fine at the moment:

Ticket cache: FILE:/tmp/krb5cc_daniel_:0.1
Default principal: daniel at EOS.NCSU.EDU

Valid starting     Expires            Service principal
07/14/04 10:26:12  07/15/04 07:41:12  krbtgt/EOS.NCSU.EDU at EOS.NCSU.EDU
07/14/04 10:26:13  07/15/04 07:41:12  afs/unity.ncsu.edu at EOS.NCSU.EDU
07/14/04 10:26:14  07/15/04 07:41:12  afs/eos.ncsu.edu at EOS.NCSU.EDU
07/14/04 10:26:14  07/15/04 07:41:12  afs/bp.ncsu.edu at EOS.NCSU.EDU
07/14/04 10:28:34  07/15/04 07:41:12  imap/uni00map.unity.ncsu.edu at EOS.NCSU.EDU
07/14/04 10:28:36  07/15/04 07:41:12  imap/uni10map.unity.ncsu.edu at EOS.NCSU.EDU


Kerberos 4 ticket cache: /tmp/tkt_daniel_:0.1
Principal: daniel at EOS.NCSU.EDU

   Issued              Expires             Principal
07/14/04 10:26:12  07/15/04 07:41:12  krbtgt.EOS.NCSU.EDU at EOS.NCSU.EDU


So I attempted to define "SHORT_LIFETIME" in 
lib/src/krb5/krb/v4lifetime.c, after looking at the code.  I thought I'd 
give it a whirl.  That kills the out of bounds error message, but doesn't 
give me a full length ticket:
07/14/04 10:11:39  07/14/04 21:46:39  zephyr.zephyr at EOS.NCSU.EDU




So my question here is, what are we doing different from you all up in 
MIT?  Why are we running into these issues and you are not?  Am I 
overlooking some sort of configuration problem?  Do you all not use krb4 
at all anymore?  Thanks!

Daniel

-- 
/\\\----------------------------------------------------------------------///\
\ \\\      Daniel Henninger           http://www.vorpalcloud.org/        /// /
  \_\\\      North Carolina State University - Systems Programmer        ///_/
     \\\                   Information Technology <IT>                  ///
      """--------------------------------------------------------------"""

More information about the Kerberos mailing list