Krb524d and Ticket Lifetimes
bpcreech at eos.ncsu.edu
Mon Apr 28 14:48:15 EDT 2003
Scratch that, I accidentally hit send on the wrong e-mail first. It
turns out we're running a patched version of krb524d. I'm 90% sure
that's causing my problem.
On Mon, 2003-04-28 at 14:33, Ben Creech wrote:
> I'm seeing a weird problem in which getting krb5 tickets of lifetime >
> 60*5*254 breaks my Windows AFS client (OpenAFS 1.2.8a). If I get krb5
> sgt's with lifetime 60*5*254, the client works, and if I get sgt's with
> lifetime 60*5*255, the service becomes unresponsive. I am still
> debugging the problem, but I have a nagging feeling it has something to
> do with strange behavior in krb524.
> My question is this:
> Why does the krb524 client library use the fixed 5-minute interval
> algorithm to calculate lifetime (for the unencrypted part of the token),
> while krb524d uses the CMU lifetime algorithm?
> For the unfamiliar (or forgetful), the standard (original?) lifetime
> representation uses the single-byte token field to indicate 5-minute
> intervals from 0 to 21.25 hours. The CMU algorithm plugs values greater
> than 127 into an exponential function, such that "128" means 10.67
> hours, and "255" means 30 days.
> Ben Creech
> NCSU ITECS
> krbdev mailing list krbdev at mit.edu
More information about the krbdev