KRB5 API and Panther

Mon Jan 26 15:41:48 EST 2004

The KRB5 API on OSX 10.3 Panther

The call to get TGT

krb5_get_in_tkt_with_password(context, .....,..
   &my_creds, &ret_as_reply);

  Does not honor starttime/ lifetime/ renewtime settings done with the 
credentials option

ex:

krb5_creds           my_creds;

...

my_creds.times.starttime = now;
my_creds.times.endtime = now + (10*60) ;
  my_creds.times.renew_till =  now + (20*60) ;	

It works fine in Jaguar

we  belive the bug is in

   krb5int_populate_gic_opt   ( file gic_pwd.c)

if (options&KDC_OPT_FORWARDABLE)
         krb5_get_init_creds_opt_set_forwardable(opt, 1);
     else krb5_get_init_creds_opt_set_forwardable(opt, 0);
     if (options&KDC_OPT_PROXIABLE)
         krb5_get_init_creds_opt_set_proxiable(opt, 1);

it only sets the options for forwardable and proxiable but not for 
lifetime etc

A way to get around this is by using  ::
krb5_get_init_creds_password()  call

ex:
...
    krb5_get_init_creds_opt_set_tkt_life(&opt, 20*60);
    krb5_get_init_creds_opt_set_renew_life(&opt, 0);
    krb5_get_init_creds_opt_set_forwardable(&opt, 0);
    krb5_get_init_creds_opt_set_proxiable(&opt, 0);
    krb5_get_init_creds_opt_set_preauth_list(&opt,&PA_LIST,1);

   ...
   ec = krb5_get_init_creds_password(context,&my_creds, my_principal, 
password,
	NULL, NULL, 0, cserver, &opt);

...

Works fine.

Brian