Don't include krb5_kdc_req->from if default start time

[Stef Walter]

Been testing kerberos with clock skews again, and found another problem.

If the KDC (for my test case an AD Windows 2008 server) has a clock skew
that is in the past, then we see this behavior:

[stef at stef-desktop krb5]$ kinit Fry at AD.THEWALTER.LAN
Password for Fry at AD.THEWALTER.LAN:
kinit: Ticket is ineligible for postdating while getting initial credentials

This is because we include the optional 'from' field in the KDC
authentication request. If we were to leave it out then the KDC would
choose its time as the from time for the ticket.

With the attached patch the krb5 client will only include the 'from'
field in the KDC authentication request when it is different from the
current time. If kdc_synctime is not set then the 'from' timestamp is
unconditionally included.

This does have a small gotcha. If a start time is passed to kinit (via
-s) and that start time does just happen to be the current time (at the
time that the KDC authentication request is encoded) then the start time
will not be respected. Is this a problem? And if so, is there a
transparent way we can remedy this corner case?

Cheers,

Stef
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Don-t-include-from-time-in-KDC-req-when-using-defaul.patch
Type: text/x-patch
Size: 2271 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20120508/7637405e/attachment.bin