Compatibilty between mixed kerberos release (KDC 1.12 client 1.10).

Todd Grayson tgrayson at cloudera.com
Wed Jul 29 22:17:50 EDT 2015


Interesting, I'll take a look, thanks!

On Wed, Jul 29, 2015 at 8:12 PM, Benjamin Kaduk <kaduk at mit.edu> wrote:

> On Wed, 29 Jul 2015, Ken Hornstein wrote:
>
> > >Is there any general wisdom out there about mixed KDC/Client versions?
> Are
> > >there concerns around allowing environments drift to where a KDC would
> be
> > >on a later release than the clients?
> >
> > FWIW, we run a whole bunch of crazy versions of Kerberos, and generally
> > there is not an interoperability problem; the protocol is pretty well
> > specified and in general everything works fine at that level.
>
> Yes; it is expected that any implementation of the kerberos protocol can
> successfully talk to a peer running a different implementation, including
> the case where the peers differ only by software version and have a common
> lineage.
>
> > >There seems to be a change in default behavior in the 1.12+ where
> renewable
> > >tickets must be specifically requested (RHEL 7 is including the 1.12 as
> the
> > >tested krb release in platform).
> >
> > This is more of a problem, but I don't consider this an interoperability
> > issue.
>
> That sort-of calls to mind
>
> https://github.com/krb5/krb5/commit/4f551a7ec126c52ee1f8fea4c3954015b70987bd
> ,
> and makes me wonder what the actual lifetimes in the request are (and the
> max permitted by the KDC).
>
> -Ben
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



-- 
Todd Grayson
Customer Operations Engineering


More information about the Kerberos mailing list