KfW 3.1: kinit.exe, krb5.ini and ticket_lifetime

[Jay Stamps]

Hi all:

We're adding a line to the [libdefaults] stanza in our site-wide 
krb5.conf file to keep the Macs happy:

ticket_lifetime = 25h

Our realm default is 25 hrs, but the Mac K5 client will go w/ 10 hrs 
unless its conf file (/Library/Preferences/edu.mit.Kerberos) 
instructs it otherwise.

Given that we'd like to have a single conf file for all platforms 
(Mac, Win, *nix), a niggling peculiarity of kinit.exe for Windows 
(KfW 3.1.0) has surfaced in my testing: Any value for ticket_lifetime 
will be interpreted as a number of minutes. So the line as I've given 
it above will result in a ticket that expires in 25 mins.

NIM doesn't look at %SystemRoot%\krb5.ini for its default ticket 
lifetime, so only the command-line kinit tool is affected. For now 
we're avoiding the problem by specifying "1500m" instead of "25h" 
("90000" would work, for that matter, but is less readable). The 
inconsistency seems odd, though. All other MIT kinit utilities 
correctly interpret "25h" as "25 hours," or else assume seconds.

Is this a bug? A reasonable question in response might be, why do I 
care? Given the nature of Stanford's environment, we no doubt have 
users (perhaps not many) who still use kinit at the Windows command 
line, and we don't want to wreck their lives.

Thanks,
Jay