Possible kinit -R bug rhel 7.3 pkg 1.14.1-27.el7_3 and a few questions

Hostetler,Alex Alex.Hostetler at cerner.com
Mon Oct 16 11:03:06 EDT 2017 

Hey All,

We seem to be running into a bug and our team may have made some incorrect assumptions when we first rolled this out.  We have a few issues.  These are all performed on rhel 7.3 using packages 1.14.1-27.el7_3.

First
We are able to run “kinit –R” outside of the expiration time.  The man pages say this shouldn’t be able to occur.
Ex.

09:25:23 $ klist -ef
Ticket cache: FILE:/tmp/krb5cc_17105570
Default principal: test/bdatadevkdc01.northamerica.net at realm

Valid starting       Expires              Service principal
10/16/2017 09:25:17  10/16/2017 09:27:17  krbtgt/realm at realm
                renew until 10/16/2017 09:31:17, Flags: FRI
                Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96

09:25:25 $ sleep 140; date; kinit -R; klist
Mon Oct 16 09:27:59 CDT 2017
Ticket cache: FILE:/tmp/krb5cc_17105570
Default principal: test/bdatadevkdc01.northamerica.net at realm

Valid starting       Expires              Service principal
10/16/2017 09:28:01  10/16/2017 09:30:01  krbtgt/realm at realm
                renew until 10/16/2017 09:31:17

Here the ticket lifetime is 2 mins, renew time is 6 mins.  We sleep for 140 seconds and are still able to renew the ticket anyway.  I believe this is a bug.

Second
This one may just be a misunderstanding on my part.
Similar situation.  Ticket lifetime is 2 mins, renewable for 6.  When we get to the 5th min of the renew until time, where if we were to kinit –R again the expiration date would be outside of that renew until time, should the ticket expire or should the valid starting time just be updated and the expiration time capped?  We had a patched package that did things the latter way and the regular 1.14 packages that do it the former.

Third
This may be answered in the above, but when we kinit –R in a situation like the second problem, at the end of the renew until time so the ticket lifetime would put it outside of that window.  We see the ticket expire in 1.14, but when doing a klist the ticket still looks valid since it shows it within the valid starting time and expiration date.  The ticket no longer functions – as expected from the output of kinit –R, is the expired ticket displayed in any way to klist?

Thank you for your time!

Alex H.


CONFIDENTIALITY NOTICE This message and any included attachments are from Cerner Corporation and are intended only for the addressee. The information contained in this message is confidential and may constitute inside or non-public information under international, federal, or state securities laws. Unauthorized forwarding, printing, copying, distribution, or use of such information is strictly prohibited and may be unlawful. If you are not the addressee, please promptly delete this message and notify the sender of the delivery error by e-mail or you may call Cerner's corporate offices in Kansas City, Missouri, U.S.A at (+1) (816)221-1024.

More information about the Kerberos mailing list