-f option with kinit

Xu, Qiang (FXSGSC) Qiang.Xu at fujixerox.com
Thu Oct 9 22:47:09 EDT 2008 

> -----Original Message-----
> From: Ken Raeburn [mailto:raeburn at MIT.EDU]
> Sent: Wednesday, October 08, 2008 8:47 PM
> To: Xu, Qiang (FXSGSC)
> Cc: Nicolas Williams; krbdev at mit.edu
> Subject: Re: -f option with kinit
>
> The KDC will send this back if your client uses a preauth
> scheme which carries as part of its protocol a timestamp; you
> could change the client not to use these preauth schemes I
> suppose.  Or alter the KDC either not to implement the check,
> or to allow a much larger maximum clock skew.

Based on your suggestions and Jeffery's opinion, I have taken a shortcut, that is, to manually set the printer's time and gmtoffset to be the same as those in KDC. And this can eliminate the time sync error KRB5KRB_AP_ERR_SKEW. That saves me the hassle and tussle with NTP for now. :-)

And now, I can have the tickets:
===================================================
denalic01:/tmp/dlms/kerberos/apps <201> kinit 120117097110 at SESSWIN2003.COM -M 070097105114049050051
denalic01:/tmp/dlms/kerberos/apps <202> klist -f
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: xuan at SESSWIN2003.COM

Valid starting     Expires            Service principal
10/10/08 11:09:24  10/10/08 21:09:35  krbtgt/SESSWIN2003.COM at SESSWIN2003.COM
        renew until 10/11/08 11:09:24, Flags: RIA


denalic01:/tmp/dlms/kerberos/apps <203> kinit 120117097110 at SESSWIN2003.COM -M 070097105114049050051 -f
denalic01:/tmp/dlms/kerberos/apps <204> klist -f
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: xuan at SESSWIN2003.COM

Valid starting     Expires            Service principal
10/10/08 11:11:00  10/10/08 21:11:11  krbtgt/SESSWIN2003.COM at SESSWIN2003.COM
        renew until 10/11/08 11:11:00, Flags: FRIA
===================================================
It seems I can get the tickets from the server whether or not the request is forwardable. The only difference seems in the flags returned, with FRIA for forwardable request, and RIA for non-forwardable request. Does the character F in the flags FRIA represent "forwardable"?

Just want to confirm what I get the server is correct.

Thanks,
Xu Qiang

More information about the krbdev mailing list