On 10/16/2017 11:03 AM, Hostetler,Alex wrote: > Here the ticket lifetime is 2 mins, renew time is 6 mins. We sleep for 140 > seconds and are still able to renew the ticket anyway. I believe this is a > bug.
Because the client and KDC clocks might drift, the KDC applies a grace period to ticket expiration, defaulting to five minutes. I think that's what you are seeing here, as the ticket has only been expired for 20 seconds in this scenario. > Similar situation. Ticket lifetime is 2 mins, renewable for 6. When we get > to the 5th min of the renew until time, where if we were to kinit –R again > the expiration date would be outside of that renew until time, should the > ticket expire or should the valid starting time just be updated and the > expiration time capped? We had a patched package that did things the latter > way and the regular 1.14 packages that do it the former. I can't figure out what "5th min of the renew until time" means here. Are you talking about five minutes after the initial ticket issuance time, or seven? When you say "lifetime is 2 mins, renewable for 6", is the renewable end time six minutes after the initial ticket issuance time (what I would expect), or eight? I'm also not sure what you mean by "should the ticket expire?" Although I don't understand the question, I can say there have been some changes in KDC behavior around this area. Releases 1.12 through 1.15 will not issue "trivially renewable tickets", where renewable endtime doesn't exceed ticket endtime; instead it will issue a non-renewable ticket. The forthcoming release 1.16 will go back to issuing trivially renewable tickets. http://krbdev.mit.edu/rt/Ticket/Display.html?id=7661 http://krbdev.mit.edu/rt/Ticket/Display.html?id=8609 > This may be answered in the above, but when we kinit –R in a situation like > the second problem, at the end of the renew until time so the ticket lifetime > would put it outside of that window. We see the ticket expire in 1.14, but > when doing a klist the ticket still looks valid since it shows it within the > valid starting time and expiration date. The ticket no longer functions – as > expected from the output of kinit –R, is the expired ticket displayed in any > way to klist? I don't think the KDC should ever issue a ticket which is already expired. I'd like to see more specifics about this case. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
