524 problems with 1.3.4, and historical issues

Daniel Henninger daniel at unity.ncsu.edu
Wed Jul 14 13:41:24 EDT 2004 

>    Daniel> So I attempted to define "SHORT_LIFETIME" in
>    Daniel> lib/src/krb5/krb/v4lifetime.c, after looking at the code.
>    Daniel> I thought I'd give it a whirl.  That kills the out of
>    Daniel> bounds error message, but doesn't give me a full length
>    Daniel> ticket: 07/14/04 10:11:39 07/14/04 21:46:39
>    Daniel> zephyr.zephyr at EOS.NCSU.EDU
>
>
>
>
>    Daniel> So my question here is, what are we doing different from
>    Daniel> you all up in MIT?  Why are we running into these issues
>    Daniel> and you are not?
>
> Well, I suspect it's probably because our default lifetime is 10 hours
> for all tickets.

Hrm, our default lifetime is:
         ticket_lifetime = 24000

=)


> So, for the combination that gives you a time out of bounds error,
> when do you get the error?  In particular, do you get it with kvno -4 or only with zwrite?

kvno -4 zephyr.zephyr
kvno: krb_mk_req error: Time is out of bounds (krb_rd_req)

=/

> Are you getting tgts with krb524init or with kinit -4?

It does happen with both.

I just found it out does only happen when I specify the max 1275 minutes 
lifetime.  It does not happen it I go for the default lifetime.  The 
precise moment it goes from time out of bounds to not out of bounds is 
at 690minutes.  690 minuets is the maximum lifetime I can set and still 
successfully get the zephyr ticket.  691 is starts giving me out of 
bounds.

> n
> What versions of client, kdc and krb524d are you using?

Client is either 1.3.4 or 1.2.8.  Server is 1.3.4.  (both clients work 
fine when server is 1.2.8)  Also, krb5.conf can be pointing at the 1.3.4 
and krb.conf can be pointing at the 1.2.8 server and have it work just 
fine.

>    Daniel> Am I overlooking some sort of
>    Daniel> configuration problem?  Do you all not use krb4 at all
>    Daniel> anymore?
>
> I only wish we no longer used krb4.

*chuckle*  likewise  =/  some day   some magical day

Daniel

-- 
/\\\----------------------------------------------------------------------///\
\ \\\      Daniel Henninger           http://www.vorpalcloud.org/        /// /
  \_\\\      North Carolina State University - Systems Programmer        ///_/
     \\\                   Information Technology <IT>                  ///
      """--------------------------------------------------------------"""

More information about the Kerberos mailing list