krb5_timeofday() and krb5_get_time_offsets() usage

Petr Spacek pspacek at redhat.com
Wed Aug 13 05:14:48 EDT 2014


Hello,

I would like to head your recommendation about correct 
krb5_timeofday()/krb5_get_time_offsets() usage.

Example:
- An application calls krb5_get_init_creds_keytab() during start up and then 
uses the ticket for a long time.
- The application later uses krb5_cc_retrieve_cred() to get 
creds.times.endtime value and to check that the ticket is still valid.
- The goal is to make sure that the ticket is still valid before any attempt 
to use it.

Is it enough to do something like this?

#define GUARD_TIME 300
krb5_timestamp now;
krb5_creds creds;

krb5_cc_retrieve_cred(context, ccache, 0, &mcreds, &creds);
krb5_timeofday(context, &now);

if (now > (creds.times.endtime - GUARD_TIME)) {
	log("Credentials in cache expired");
         renew_ticket();
}

I can see that krb5_timeofday() from krb5-libs-1.11 does time offset 
correction automatically for seconds but not for microseconds.

Does it mean that application should do microseconds correction on it's own? E.g.:

krb5_timeofday(context, &now);
krb5_get_time_offsets(context, &kdc_time_offset, &kdc_time_offset_usec);
if (kdc_time_offset_usec > 0)
	now++;
else if (kdc_time_offset_usec < 0)
	now--;


Or - would it be possible to handle microseconds correction inside 
krb5_timeofday()?

(I hope that I understood the semantics correctly, currently I don't see any 
krb5_set_time_offsets() call with non-zero microseconds parameter.)

Thank you for your time.

-- 
Petr Spacek  @  Red Hat


More information about the Kerberos mailing list