[36432] in Kerberos
Re: Fwd: Fwd: Man page description of kinit -R
daemon@ATHENA.MIT.EDU (Benjamin Kaduk)
Fri Sep 5 13:39:29 2014
Date: Fri, 5 Sep 2014 13:39:01 -0400 (EDT)
From: Benjamin Kaduk <kaduk@mit.edu>
To: Brett Randall <javabrett@gmail.com>
In-Reply-To: <CALeEUB4a897PwctN2pjhVWN4YDP=rG9AYOd4fM7Z6BkfPSkePg@mail.gmail.com>
Message-ID: <alpine.GSO.1.10.1409051336410.21571@multics.mit.edu>
MIME-Version: 1.0
Cc: kerberos <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Thu, 4 Sep 2014, Brett Randall wrote:
> Initially I had checked kdc.conf, but of course clockskew is declared
> in krb5.conf, and I found my KDC had a (non-default) setting of
> clockskew = 3600 (1 hour). If I wait the full hour, the renewal is
> then rejected as expected.
The KDC merges krb5.conf and kdc.conf into a single "profile"; there is no
distinction made between which file a variable is set in. (I do not
consider here the case where a variable is set in both files.)
> Needless to say this caught me out. When I was reading the main
> documentation about ticket expiry, I didn't readily find any
> cross-references to clockskew and grace periods. What is interesting
> is that even though the client and KDC clocks are synced to the
> second, the grace period is still applied.
The KDC cannot really know that the clocks are synchronized, so the grace
period must always be applied.
-Ben Kaduk
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos