[krbdev.mit.edu #2058] Problems with ticket lifetimes in K4
Kevin Coffman
kwc at citi.umich.edu
Wed Dec 10 22:46:17 EST 2003
> -----Original Message-----
> From: 0000-Admin [mailto:daemon at MIT.EDU] On Behalf Of Tom Yu via RT
> Sent: Wednesday, December 10, 2003 9:46 PM
> To: kwc at citi.umich.edu
> Cc: krb5-prs at mit.edu
> Subject: Re: [krbdev.mit.edu #2058] Problems with ticket
> lifetimes in K4
>
>
> >>>>> "kwc" == kwc at citi umich edu via RT
> <rt-comment at krbdev.mit.edu> writes:
>
> kwc> 1) We have many Windows AFS clients which use the default
> kwc> authentication code found there. This code, unlike all the
> kwc> other AFS authentication code, uses K4 UDP instead of rx.
> kwc> The AFS K4 code checks the issue time of the ticket it gets
> kwc> back and compares it to its local time. If those times are
> kwc> more than " clock skew" off, it fails with a clock skew error.
> kwc> The adjustment of the the issue time (kerb_time.tv_sec) causes
> kwc> the Windows AFS client to fail with a clock skew error.
>
> The backwards adjustment of issue time is meant to expire the krb4
> ticket at the same time as an equivalent krb4 ticket would expire. I
> suppose we could round the lifetime down if necessary, though that
> would cause tickets to expire much sooner than expected if you're in
> the exponential lifetime region.
Our old mod rounded up, but I don't see a problem if you round down.
> kwc> 2) The krb_life_to_time() routine returns 0xffffffff when the
> kwc> requested lifetime is "unlimited" (0xff in the request). So
> kwc> v4endtime becomes 0xffffffff. When this is used in the min()
> kwc> functions, -1 is found to be the minimum. Thus a ticket with
> kwc> an end time of 0xffffffff is returned. This lifetime should
> kwc> be limited by the life of the TGT and the service's lifetime.
>
> Are you mixing krb4 implementations? The version of
> krb_life_to_time() that is in krb5-1.3.1 does not return 0xffffffff
> for a requested lifetime of 0xff.
Yes, you're right. My apologies. I must have messed up the CVS merge.
Somehow the routines from our old local mods were overriding the new
routines in lib/krb4/lifetime.c
More information about the krb5-bugs
mailing list