Krb524d and Ticket Lifetimes

Ben Creech bpcreech at
Mon Apr 28 14:48:15 EDT 2003

Scratch that, I accidentally hit send on the wrong e-mail first.  It
turns out we're running a patched version of krb524d.  I'm 90% sure
that's causing my problem.

On Mon, 2003-04-28 at 14:33, Ben Creech wrote:
> I'm seeing a weird problem in which getting krb5 tickets of lifetime >
> 60*5*254 breaks my Windows AFS client (OpenAFS 1.2.8a).  If I get krb5
> sgt's with lifetime 60*5*254, the client works, and if I get sgt's with
> lifetime 60*5*255, the service becomes unresponsive.  I am still
> debugging the problem, but I have a nagging feeling it has something to
> do with strange behavior in krb524.
> My question is this: 
> Why does the krb524 client library use the fixed 5-minute interval
> algorithm to calculate lifetime (for the unencrypted part of the token),
> while krb524d uses the CMU lifetime algorithm?
> For the unfamiliar (or forgetful), the standard (original?) lifetime
> representation uses the single-byte token field to indicate 5-minute
> intervals from 0 to 21.25 hours.  The CMU algorithm plugs values greater
> than 127 into an exponential function, such that "128" means 10.67
> hours, and "255" means 30 days.
> Thanks,
> Ben Creech
> _______________________________________________
> krbdev mailing list             krbdev at

More information about the krbdev mailing list