Fix AS REQ start and end time to respect skew

Stef Walter stef at
Wed May 22 08:03:32 EDT 2013

Since the kerberos protocol uses timestamp rather than duration deltas
for its starttime, endtime, and renewtime KDC AS REQ fields, we have
to calculate these with respect to the offsets we know about received
from the server.

Currently, when we calculate the endtime of the ticket (from either the
requested or default ticket lifetime) we do it using system time. If the
system is sufficiently skewed, this results in sending an endtime in the
AS REQ which is in the past from the server's point of view.

This results in:

kinit: Requested effective lifetime is negative or too short while
getting initial credentials

The attached patch uses the unauthenticated time received during preauth
to calculate these offsets.

Alternatively we could try to get the authenticated server time by doing
a request without an endtime (ie: set to zero), and then doing the
actual TGT request that we keep.




stef at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-krb5-Fix-ticket-start-and-end-time-to-respect-skew.patch
Type: text/x-patch
Size: 8519 bytes
Desc: not available
Url :

More information about the krbdev mailing list