Sorry, forgot to mention: The time difference with the KDC is within 0.1s seconds (according to ntpdate). The KDC runs Windows Server (if that matters?).
On 04/02/2015 04:34 PM, Stephen Carville (Kerberos List) wrote: > My first suspicion is that the clock on the client is about 120 seconds > ahead of the KDC. > > On 04/02/2015 06:16 AM, Robbert Eggermont [Masked] wrote: > >> Hi, >> >> For some time (years) I've been using tickets with a 1 minute lifetime >> (in cron jobs). Lately, this is giving me problems: >> >> $ kinit -l 1m -k -t <keytab> <principal> && kvno 'host/<host>' >> kvno: Ticket expired while getting credentials for host/<host>@<domain> >> >> With RHEL7 (krb5-1.12.2), the problems seem to be much worse, so I did a >> little experimentation which seems to indicate some kind of limit at 120s: >> >> $ kinit -l 120s -k -t <keytab> <principal> && kvno 'host/<host>' >> kvno: Ticket expired while getting credentials for host/<host>@<domain> >> $ kinit -l 121s -k -t <keytab> <principal> && kvno 'host/<host>' >> host/<host>@<domain>: kvno = 3 >> >> The first fails 90% of the time, the second succeeds 90% of the time. >> >> What am I seeing here, and is it supposed to be like this? >> >> Thanks, >> >> Robbert -- Robbert Eggermont Intelligent Systems r.eggerm...@tudelft.nl Electr.Eng., Mathematics & Comp.Science +31 15 27 83234 Delft University of Technology ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
