cTime and KrbError

Greg Hudson ghudson at mit.edu
Tue May 19 14:39:18 EDT 2020


On 5/19/20 10:56 AM, Luke Hebert wrote:
> So I've been searching around trying to understand cTime. While dealing
> with a ticket renewal issue. I know that this is supposed to be the
> client's current time. The question is what conditions cause cTime to print
> out in Java debug as being from 1981. This isn't the start of epoch.
> 
> My assumption looking at the RFC for KRBError would suggest to me that
> something went wrong and the authenticator could not decode the request and
> the fields are omitted in the Error response. Thus resulting in a default
> value being printed for what would be a time based field.

For a KRB-ERROR resulting from a TGS request, the MIT krb5 KDC would
normally omit the ctime and cusec fields.  It looks like a Heimdal KDC
would copy them from the request authenticator.  I don't know what
Microsoft KDCs do.

347262666 does not seem like a recognizable default value; I have no
idea where it could be coming from.


More information about the Kerberos mailing list