[36428] in Kerberos
Re: Fwd: Man page description of kinit -R
daemon@ATHENA.MIT.EDU (Greg Hudson)
Thu Sep 4 12:03:35 2014
Message-ID: <54088D3A.6030706@mit.edu>
Date: Thu, 04 Sep 2014 12:03:06 -0400
From: Greg Hudson <ghudson@mit.edu>
MIME-Version: 1.0
To: Brett Randall <javabrett@gmail.com>, kerberos@mit.edu
In-Reply-To: <CALeEUB5cH-oM1Zecb2pH_jYCoh85w-FmquTjWTj_n40JDnA52Q@mail.gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 09/04/2014 01:58 AM, Brett Randall wrote:
> I create a short-life, renewable ticket, then use klist -s to check
> before/after it has expired. Then kinit -R is able to renew the
> ticket.
>From your sequence of operations, you're just seeing the five-minute
grace period for expired tickets. This grace period exists in order to
tolerate small amounts of clock skew between the client and KDC.
> Also I have read one piece of client code that behaves like this is
> standard behaviour - it waits until the TGT expires, then renews it.
For automated processes, I would recommend trying to renew the ticket
when it is halfway to expired. That's reasonably efficient, allows
plenty of time to recover from a temporary network or KDC outage, and
doesn't eat into the built-in clock skew tolerance by relying on the
grace period.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
