cTime and KrbError
Greg Hudson
ghudson at mit.edu
Tue May 19 14:39:18 EDT 2020
On 5/19/20 10:56 AM, Luke Hebert wrote:
> So I've been searching around trying to understand cTime. While dealing
> with a ticket renewal issue. I know that this is supposed to be the
> client's current time. The question is what conditions cause cTime to print
> out in Java debug as being from 1981. This isn't the start of epoch.
>
> My assumption looking at the RFC for KRBError would suggest to me that
> something went wrong and the authenticator could not decode the request and
> the fields are omitted in the Error response. Thus resulting in a default
> value being printed for what would be a time based field.
For a KRB-ERROR resulting from a TGS request, the MIT krb5 KDC would
normally omit the ctime and cusec fields. It looks like a Heimdal KDC
would copy them from the request authenticator. I don't know what
Microsoft KDCs do.
347262666 does not seem like a recognizable default value; I have no
idea where it could be coming from.
More information about the Kerberos
mailing list