Interesting, I'll take a look, thanks! On Wed, Jul 29, 2015 at 8:12 PM, Benjamin Kaduk <ka...@mit.edu> wrote:
> On Wed, 29 Jul 2015, Ken Hornstein wrote: > > > >Is there any general wisdom out there about mixed KDC/Client versions? > Are > > >there concerns around allowing environments drift to where a KDC would > be > > >on a later release than the clients? > > > > FWIW, we run a whole bunch of crazy versions of Kerberos, and generally > > there is not an interoperability problem; the protocol is pretty well > > specified and in general everything works fine at that level. > > Yes; it is expected that any implementation of the kerberos protocol can > successfully talk to a peer running a different implementation, including > the case where the peers differ only by software version and have a common > lineage. > > > >There seems to be a change in default behavior in the 1.12+ where > renewable > > >tickets must be specifically requested (RHEL 7 is including the 1.12 as > the > > >tested krb release in platform). > > > > This is more of a problem, but I don't consider this an interoperability > > issue. > > That sort-of calls to mind > > https://github.com/krb5/krb5/commit/4f551a7ec126c52ee1f8fea4c3954015b70987bd > , > and makes me wonder what the actual lifetimes in the request are (and the > max permitted by the KDC). > > -Ben > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > -- Todd Grayson Customer Operations Engineering ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
