Clock skew too great status code

Greg Hudson ghudson at MIT.EDU
Tue Feb 11 21:38:17 EST 2014


On 02/11/2014 04:28 AM, Arpit Srivastava wrote:
> When credentials expires, and I immediately call gss_init_sec_context, I
> get minor -1765328373 (Requested effective lifetime is negative or too
> short)
> but after 2-3 minutes, I call gss_init_sec_context again, I get expected
> minor code of credentials expired.

In the first case, the KDC accepted your TGT for the TGS request
(because of clock skew allowance) but calculated that the service ticket
would never be valid.  In the second case, the KDC rejected your TGT as
expired.

(At least, I think that's what is going on.  The GSSAPI client code can
locally generate a KRB5KRB_AP_ERR_TKT_EXPIRED error, but only if it
successfully obtains a service ticket from the ccache or the KDC and
then determines that it has expired.)


More information about the Kerberos mailing list