Premature Error 32 (tickets expired) in K4?
Sam Hartman
hartmans at MIT.EDU
Wed Dec 10 16:05:18 EST 2003
>>>>> "Ron" == Ron DiNapoli <rd29 at cornell.edu> writes:
>> The problem is that K4 stores a ticket lifetime not an end
>> time. The life time is (for these purposes) in increments of
>> five minutes. So, let's say I have a ticket that is valid for
>> 30 more seconds and I ask the KDC for a new ticket. The KDC
>> can either issue me no ticket, or it can issue me a ticket
>> valid for five minutes. If it issues me a ticket valid for
>> five minutes then I can continue renewing this ticket for ever
>> every five minutes.
>>
Ron> I understand that, in this scenario, your service ticket
Ron> would be good for 5 minutes, but that wouldn't change the
Ron> fact that your TGT expires in 30 seconds right? And once the
Ron> TGT is expired (+ 5minutes if you are perfectly sync'd
Ron> timewise with the KDC and have applied my proposed mod)
Ron> doesn't that prevent you from obtaining/renewing more service
Ron> tickets?
Except one kind of service ticket I can request is a new TGT.
>> According to Mark, the folks at Cygnus fixed this problem by
>> changing the krb4 boundary conditions such that tickets had
>> five minutes less lifetime than apparent instead of five
>> minutes more lifetime than apparent.
>>
>>
Ron> Just to clarify, does this mean that the code in the
Ron> krb5-1.3.1 tree in question was purposely made that way due
Ron> to this Cygnus fix?
Correct.
More information about the krbdev
mailing list