Possible kinit -R bug rhel 7.3 pkg 1.14.1-27.el7_3 and a few questions
Greg Hudson
ghudson at mit.edu
Mon Oct 16 12:45:19 EDT 2017
On 10/16/2017 12:28 PM, Hostetler,Alex wrote:
> Another thing that is different between the two versions is the lack of a renew until time on the klist above this kinit –R. It still has a renewable flag, which confused me a bit.
That is a known bug. The intent of the 1.12-1.15 KDC code was to issue
a non-renewable ticket in this case, but due to an oversight, a ticket
is issued with the renewable flag but no renewable end time. When you
try to renew such a ticket, you see a "Ticket expired" error because,
while the ticket isn't expired in the normal sense, the KDC sees the
ticket renewable end time as 0, and there is no separate error code for
renewable-time-expired. If the ticket were actually not renewable as
intended, you would instead see a "KDC can't fulfill requested option"
error (which admittedly isn't very descriptive either).
This bug is fixed for 1.16 by #8609, alongside the change to issue
trivially renewable tickets again.
More information about the Kerberos
mailing list