[37180] in Kerberos
Re: Compatibilty between mixed kerberos release (KDC 1.12 client
daemon@ATHENA.MIT.EDU (Benjamin Kaduk)
Wed Jul 29 22:12:58 2015
Date: Wed, 29 Jul 2015 22:12:35 -0400 (EDT)
From: Benjamin Kaduk <kaduk@mit.edu>
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
In-Reply-To: <201507300206.t6U26f59002987@hedwig.cmf.nrl.navy.mil>
Message-ID: <alpine.GSO.1.10.1507292211120.22210@multics.mit.edu>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Wed, 29 Jul 2015, Ken Hornstein wrote:
> >Is there any general wisdom out there about mixed KDC/Client versions? Are
> >there concerns around allowing environments drift to where a KDC would be
> >on a later release than the clients?
>
> FWIW, we run a whole bunch of crazy versions of Kerberos, and generally
> there is not an interoperability problem; the protocol is pretty well
> specified and in general everything works fine at that level.
Yes; it is expected that any implementation of the kerberos protocol can
successfully talk to a peer running a different implementation, including
the case where the peers differ only by software version and have a common
lineage.
> >There seems to be a change in default behavior in the 1.12+ where renewable
> >tickets must be specifically requested (RHEL 7 is including the 1.12 as the
> >tested krb release in platform).
>
> This is more of a problem, but I don't consider this an interoperability
> issue.
That sort-of calls to mind
https://github.com/krb5/krb5/commit/4f551a7ec126c52ee1f8fea4c3954015b70987bd,
and makes me wonder what the actual lifetimes in the request are (and the
max permitted by the KDC).
-Ben
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
