Krb524d and Ticket Lifetimes
bpcreech at eos.ncsu.edu
Mon Apr 28 14:33:46 EDT 2003
I'm seeing a weird problem in which getting krb5 tickets of lifetime >
60*5*254 breaks my Windows AFS client (OpenAFS 1.2.8a). If I get krb5
sgt's with lifetime 60*5*254, the client works, and if I get sgt's with
lifetime 60*5*255, the service becomes unresponsive. I am still
debugging the problem, but I have a nagging feeling it has something to
do with strange behavior in krb524.
My question is this:
Why does the krb524 client library use the fixed 5-minute interval
algorithm to calculate lifetime (for the unencrypted part of the token),
while krb524d uses the CMU lifetime algorithm?
For the unfamiliar (or forgetful), the standard (original?) lifetime
representation uses the single-byte token field to indicate 5-minute
intervals from 0 to 21.25 hours. The CMU algorithm plugs values greater
than 127 into an exponential function, such that "128" means 10.67
hours, and "255" means 30 days.
More information about the krbdev