On 10/16/2017 12:28 PM, Hostetler,Alex wrote: > Another thing that is different between the two versions is the lack of a > renew until time on the klist above this kinit –R. It still has a renewable > flag, which confused me a bit.
That is a known bug. The intent of the 1.12-1.15 KDC code was to issue a non-renewable ticket in this case, but due to an oversight, a ticket is issued with the renewable flag but no renewable end time. When you try to renew such a ticket, you see a "Ticket expired" error because, while the ticket isn't expired in the normal sense, the KDC sees the ticket renewable end time as 0, and there is no separate error code for renewable-time-expired. If the ticket were actually not renewable as intended, you would instead see a "KDC can't fulfill requested option" error (which admittedly isn't very descriptive either). This bug is fixed for 1.16 by #8609, alongside the change to issue trivially renewable tickets again. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
