Gss context refresh failure due to clock skew

Greg Hudson ghudson at
Wed Oct 7 10:45:08 EDT 2015

On 10/07/2015 09:22 AM, Adamson, Andy wrote:
> Actually, setting the service ticket lifetime to be equal to (or greater than if this is possible) the TGT lifetime will not help. Just as in the example I sent, the application will get permission denied during the time difference between the client and server clock.

That is expected.  What is not expected, in this variant, is that
gss_init_sec_context() will succeed by itself once the client believes
the TGT and service ticket to have expired.  Apologies for any
miscommunication on this point.

There may be something in the calling code which refreshes the TGT in
this situation.  If so, then to fully understand the scenario, we need
to know how the calling code decides when to refresh the TGT.

I opened a ticket about this issue here:

More information about the krbdev mailing list