Fwd: Man page description of kinit -R
Greg Hudson
ghudson at mit.edu
Thu Sep 4 12:03:06 EDT 2014
On 09/04/2014 01:58 AM, Brett Randall wrote:
> I create a short-life, renewable ticket, then use klist -s to check
> before/after it has expired. Then kinit -R is able to renew the
> ticket.
>From your sequence of operations, you're just seeing the five-minute
grace period for expired tickets. This grace period exists in order to
tolerate small amounts of clock skew between the client and KDC.
> Also I have read one piece of client code that behaves like this is
> standard behaviour - it waits until the TGT expires, then renews it.
For automated processes, I would recommend trying to renew the ticket
when it is halfway to expired. That's reasonably efficient, allows
plenty of time to recover from a temporary network or KDC outage, and
doesn't eat into the built-in clock skew tolerance by relying on the
grace period.
More information about the Kerberos
mailing list