[krbdev.mit.edu #2058] Problems with ticket lifetimes in K4

kwc@citi.umich.edu via RT rt-comment at krbdev.mit.edu
Wed Dec 10 22:46:56 EST 2003 

> -----Original Message-----
> From: 0000-Admin [mailto:daemon at MIT.EDU] On Behalf Of Tom Yu via RT
> Sent: Wednesday, December 10, 2003 9:46 PM
> To: kwc at citi.umich.edu
> Cc: krb5-prs at mit.edu
> Subject: Re: [krbdev.mit.edu #2058] Problems with ticket 
> lifetimes in K4
> 
> 
> >>>>> "kwc" == kwc at citi umich edu via RT 
> <rt-comment at krbdev.mit.edu> writes:
> 
> kwc> 1) We have many Windows AFS clients which use the default
> kwc> authentication code found there.  This code, unlike all the
> kwc> other AFS authentication code, uses K4 UDP instead of rx.
> kwc> The AFS K4 code checks the issue time of the ticket it gets
> kwc> back and compares it to its local time.  If those times are
> kwc> more than " clock skew" off, it fails with a clock skew error.
> kwc> The adjustment of the the issue time (kerb_time.tv_sec) causes
> kwc> the Windows AFS client to fail with a clock skew error.
> 
> The backwards adjustment of issue time is meant to expire the krb4
> ticket at the same time as an equivalent krb4 ticket would expire.  I
> suppose we could round the lifetime down if necessary, though that
> would cause tickets to expire much sooner than expected if you're in
> the exponential lifetime region.


Our old mod rounded up, but I don't see a problem if you round down.


> kwc> 2) The krb_life_to_time() routine returns 0xffffffff when the
> kwc> requested lifetime is "unlimited" (0xff in the request).  So
> kwc> v4endtime becomes 0xffffffff.  When this is used in the min()
> kwc> functions, -1 is found to be the minimum.  Thus a ticket with
> kwc> an end time of 0xffffffff is returned.  This lifetime should
> kwc> be limited by the life of the TGT and the service's lifetime.
> 
> Are you mixing krb4 implementations?  The version of
> krb_life_to_time() that is in krb5-1.3.1 does not return 0xffffffff
> for a requested lifetime of 0xff.

Yes, you're right.  My apologies.  I must have messed up the CVS merge.
Somehow the routines from our old local mods were overriding the new
routines in lib/krb4/lifetime.c

More information about the krb5-bugs mailing list