Supporting kdc_timesync offsets in memory credentials caches

Greg Hudson ghudson at MIT.EDU
Wed Aug 29 15:04:37 EDT 2012

On 08/29/2012 02:38 PM, Nate Rosenblum wrote:
> I've attached a patch that persists the skew offsets in kdc_timesync
> mode in memory ccaches, as is done in v4 file caches. LMK what you
> think.

The patch didn't make it through our list software.  If you wouldn't
mind putting it in a github fork, that would be easiest; alternatively,
you can include it inline.

The idea seems reasonable.  At some point, we want to make some changes
to the way we handle time offsets from ccaches, treating them more
deliberately rather than having a ccache "infect" a context when it is
opened.  This way, if you have credentials in multiple realms where each
realm's KDCs have a different time, you use the correct offset for each
realm.  (I'm not sure how often this kind of situation arises, since it
implies one of the realms is using the wrong time on its KDCs.  But
we've been asked to support it.)  But it still makes sense for memory
ccaches to carry time offsets.

More information about the krbdev mailing list