Fwd: Man page description of kinit -R

Greg Hudson ghudson at mit.edu
Thu Sep 4 12:03:06 EDT 2014


On 09/04/2014 01:58 AM, Brett Randall wrote:
> I create a short-life, renewable ticket, then use klist -s to check
> before/after it has expired.  Then kinit -R is able to renew the
> ticket.

>From your sequence of operations, you're just seeing the five-minute
grace period for expired tickets.  This grace period exists in order to
tolerate small amounts of clock skew between the client and KDC.

> Also I have read one piece of client code that behaves like this is
> standard behaviour - it waits until the TGT expires, then renews it.

For automated processes, I would recommend trying to renew the ticket
when it is halfway to expired.  That's reasonably efficient, allows
plenty of time to recover from a temporary network or KDC outage, and
doesn't eat into the built-in clock skew tolerance by relying on the
grace period.


More information about the Kerberos mailing list