Fwd: Fwd: Man page description of kinit -R

Benjamin Kaduk kaduk at MIT.EDU
Fri Sep 5 13:39:01 EDT 2014


On Thu, 4 Sep 2014, Brett Randall wrote:

> Initially I had checked kdc.conf, but of course clockskew is declared
> in krb5.conf, and I found my KDC had a (non-default) setting of
> clockskew = 3600 (1 hour).  If I wait the full hour, the renewal is
> then rejected as expected.

The KDC merges krb5.conf and kdc.conf into a single "profile"; there is no
distinction made between which file a variable is set in.  (I do not
consider here the case where a variable is set in both files.)

> Needless to say this caught me out.  When I was reading the main
> documentation about ticket expiry, I didn't readily find any
> cross-references to clockskew and grace periods.  What is interesting
> is that even though the client and KDC clocks are synced to the
> second, the grace period is still applied.

The KDC cannot really know that the clocks are synchronized, so the grace
period must always be applied.

-Ben Kaduk


More information about the Kerberos mailing list