[krbdev.mit.edu #8165] [krb5bug] Kerberos ticket expired error with lifetime remaining
Roland Mainz via RT
rt-comment at krbdev.mit.edu
Sun Apr 12 18:37:36 EDT 2015
Hi!
----
[More or less the same as Redhat bug #1208553 ("Kerberos ticket expired error with lifetime remaining")]
Kerberos TGTs with a short lifetime (<3 minutes) give problems obtaining tickets. The problem seems to be worse in krb5-1.12.x (compared to krb5-1.10.x), with a significant threshold around 120 seconds (with a TGT lifetime of 120s or less, obtaining a ticket fails 90% of the time, with a lifetime of 121s it succeeds 90% of the time, with 126s it succeeds ~100%).
Steps to Reproduce:
1. kinit -l 120s -k -t <keytab> <principal> && kvno 'host/<host>'
Actual results:
kvno: Ticket expired while getting credentials for host/<host>@<domain>
Expected results:
host/<host>@<domain>: kvno = 3
Additional info:
Time difference with the KDC is less than 0.1 seconds.
I also see the problem with krb5-1.10.x, but with much less pronounced 120s threshold.
----
Bye,
Roland
--
__ . . __
(o.\ \/ /.o) rmainz at redhat.com
\__\/\/__/ IPA/Kerberos5 team
/O /==\ O\
(;O/ \/ \O;)
More information about the krb5-bugs
mailing list