preserve original starttime on renewed TGTs

Jeffrey Altman jaltman at
Fri Nov 19 18:24:19 EST 2010

On 11/19/2010 5:01 PM, Nicolas Williams wrote:
> On Fri, Nov 19, 2010 at 04:43:42PM -0500, Simo Sorce wrote:
>> On Fri, 19 Nov 2010 13:21:34 -0800
>> Frank Cusack <frank+krb at> wrote:
>>> When running 'kinit -R', the KDC resets the starttime on the returned
>>> TGT to "now".  I'd like to modify my KDC to preserve the original
>>> starttime instead.  That could make a renewed TGT appear to have
>>> longer than the normal maximum configured lifetime, but it seems like
>>> a fairly trivial non-problem.  As opposed to a postdated ticket, this
>>> would be now be a predated ticket.
>> Hi Frank,
>> I am curious to understand why you want to do that.
>> What class of use cases does it solve? 
> My guess: it helps deal with servers whose clocks are a little bit
> behind (but still within skew).

I'm going to put my money on KCA issued short-lived certificates.  The
certs are frequently issued with a period of validity from starttime to
max renew lifetime.

Jeffrey Altman

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: OpenPGP digital signature
Url :

More information about the krbdev mailing list