[36875] in Kerberos
Re: Ticket expires 120 seconds early?
daemon@ATHENA.MIT.EDU (Robbert Eggermont)
Thu Apr 2 10:58:49 2015
Message-ID: <551D5911.40200@tudelft.nl>
Date: Thu, 02 Apr 2015 16:58:25 +0200
From: Robbert Eggermont <R.Eggermont@tudelft.nl>
MIME-Version: 1.0
To: kerberos@mit.edu
In-Reply-To: <551D536B.9010406@opayq.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Sorry, forgot to mention:
The time difference with the KDC is within 0.1s seconds (according to
ntpdate). The KDC runs Windows Server (if that matters?).
On 04/02/2015 04:34 PM, Stephen Carville (Kerberos List) wrote:
> My first suspicion is that the clock on the client is about 120 seconds
> ahead of the KDC.
>
> On 04/02/2015 06:16 AM, Robbert Eggermont [Masked] wrote:
>
>> Hi,
>>
>> For some time (years) I've been using tickets with a 1 minute lifetime
>> (in cron jobs). Lately, this is giving me problems:
>>
>> $ kinit -l 1m -k -t <keytab> <principal> && kvno 'host/<host>'
>> kvno: Ticket expired while getting credentials for host/<host>@<domain>
>>
>> With RHEL7 (krb5-1.12.2), the problems seem to be much worse, so I did a
>> little experimentation which seems to indicate some kind of limit at 120s:
>>
>> $ kinit -l 120s -k -t <keytab> <principal> && kvno 'host/<host>'
>> kvno: Ticket expired while getting credentials for host/<host>@<domain>
>> $ kinit -l 121s -k -t <keytab> <principal> && kvno 'host/<host>'
>> host/<host>@<domain>: kvno = 3
>>
>> The first fails 90% of the time, the second succeeds 90% of the time.
>>
>> What am I seeing here, and is it supposed to be like this?
>>
>> Thanks,
>>
>> Robbert
--
Robbert Eggermont Intelligent Systems
R.Eggermont@tudelft.nl Electr.Eng., Mathematics & Comp.Science
+31 15 27 83234 Delft University of Technology
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
