AS-REQ with till being the epoch
Greg Hudson
ghudson at mit.edu
Wed Aug 30 11:15:13 EDT 2017
On 08/30/2017 10:34 AM, Weijun Wang wrote:
>> I guess you have also configured the KDC not to have any ticket lifetime
>> limits, so the KDC winds up using kdc_infinity (2**32-1) as the ticket
>> end time.
>
> No. I have "max_life = 10h 0m 0s" for the realm in kdc.conf.
Ah, then this is definitely a regression in the y2038 work, and it is
good that you noticed it.
> 1769 life = ts_delta(until, starttime);
>
> life is now a negative number.
>
> 1770
> 1771 if (client != NULL && client->max_life != 0)
> 1772 life = min(life, client->max_life);
>
> Why not call ts_min here? And below.
The theory was that ts_min() and related functions are necessary when
operating on timestamps, not intervals, because the goal of the y2038
work was to handle timestamps after 2038, not intervals larger than 2^31
seconds. But that theory obviously breaks down when we compute
intervals between the new kdc_infinity (2^32-1, up from 2^31-1) and the
current time as we do here. I will fix it. I will also look harder at
other uses of krb5_deltat.
More information about the krbdev
mailing list