false time out of bounds error
Tom Yu
tlyu at MIT.EDU
Sat Jul 24 00:58:14 EDT 2004
>>>>> "dwb7" == David Botsch <dwb7 at ccmr.cornell.edu> writes:
dwb7> I can tcpdump or ethereal it. A correction... it may only take
dwb7> one krb524init after approximately 10 min has passed to cause
dwb7> the out of bounds error message to appear.
I think I've tracked this down and fixed it in our development
sources. Basically, krb5-1.3.x (and possibly earlier releases)
backdate the start time of a krb4 ticket so that it will expire at the
correct time, rather than up to 5 minutes after it's supposed to
expire (or possibly even longer afterwards if it's in the exponential
lifetime range).
To avoid confusing clients, we made a fix so that the date reported to
the client when it requests the ticket is the "real" start time of the
ticket, rather than the backdated start time included in the encrypted
part of the ticket. Unfortunately, when we made that fix, we
neglected to make it in all the relevant places, so it was still
possible to have a client see a backdated start time and flag it as
"time out of bounds". I've checked in a fix; it is ticket #2643 in
our bug database. It should be in a future release.
---Tom
More information about the Kerberos
mailing list