Fwd: Fwd: Man page description of kinit -R
Benjamin Kaduk
kaduk at MIT.EDU
Fri Sep 5 13:39:01 EDT 2014
On Thu, 4 Sep 2014, Brett Randall wrote:
> Initially I had checked kdc.conf, but of course clockskew is declared
> in krb5.conf, and I found my KDC had a (non-default) setting of
> clockskew = 3600 (1 hour). If I wait the full hour, the renewal is
> then rejected as expected.
The KDC merges krb5.conf and kdc.conf into a single "profile"; there is no
distinction made between which file a variable is set in. (I do not
consider here the case where a variable is set in both files.)
> Needless to say this caught me out. When I was reading the main
> documentation about ticket expiry, I didn't readily find any
> cross-references to clockskew and grace periods. What is interesting
> is that even though the client and KDC clocks are synced to the
> second, the grace period is still applied.
The KDC cannot really know that the clocks are synchronized, so the grace
period must always be applied.
-Ben Kaduk
More information about the Kerberos
mailing list