Unable to create renewable ticket when we switched to a 1.12 KDC

[Benjamin Kaduk]

Hi Ishaan,

Russ's comments are almost certainly most relevant to your operational
situation, but for completeness, a couple more answers inline.

On Fri, 21 Aug 2015, Ishaan Joshi wrote:

>    Thanks a bunch for the quick responses. Let me restate the problem we
> faced ( which is exactly what Ben described):
>
>     Our earlier behaviour was to issue the following kinit to periodically
> renew our daemon's ticket: "kinit -r <time_string> -k -t <keytab>
> <service_name>". The time_string was hard coded to a day. The renewal time
> was controlled by another option that was passed in.
>
>     When we first ran against a 1.12 KDC, the ticket became non renewable
> because the hard coded value for time_string happened to be equal to the
> ticket_lifetime in the krb5.conf.
>
>    I have a few follow on questions:
>
>    - Can I assume that our previous behaviour was incorrect, and we just
>    got lucky because it was not enforced.

This is a little bit of a grey area in the specification; there's no need
for the issued ticket to be renewable if the renewable lifetime is less
than or equal to the issued lifetime, and whether the KDC chooses to set
the flag is largely an implementation choice.

>    - Do we need to use the -r flag, given that the ticket is renewed
>    periodically.

In this situation, no; using the -r flag is only relevant if you want to
later utilize "kinit -R" to actually renew the ticket.

>    - Are there any risks to passing in a value via -l on older KDCs, apart
>    from overriding the value in the krb5.conf.

No.

-Ben