[37182] in Kerberos

home help back first fref pref prev next nref lref last post

Re: Compatibilty between mixed kerberos release (KDC 1.12 client

daemon@ATHENA.MIT.EDU (Todd Grayson)
Wed Jul 29 22:18:27 2015

MIME-Version: 1.0
In-Reply-To: <alpine.GSO.1.10.1507292211120.22210@multics.mit.edu>
From: Todd Grayson <tgrayson@cloudera.com>
Date: Wed, 29 Jul 2015 20:17:50 -0600
Message-ID: <CALNT6MU_kA1+5=CozuPYg0C7zcyrsD=YdqwAFbq7TsqSZLFQ6w@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: Ken Hornstein <kenh@cmf.nrl.navy.mil>, kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

Interesting, I'll take a look, thanks!

On Wed, Jul 29, 2015 at 8:12 PM, Benjamin Kaduk <kaduk@mit.edu> wrote:

> On Wed, 29 Jul 2015, Ken Hornstein wrote:
>
> > >Is there any general wisdom out there about mixed KDC/Client versions?
> Are
> > >there concerns around allowing environments drift to where a KDC would
> be
> > >on a later release than the clients?
> >
> > FWIW, we run a whole bunch of crazy versions of Kerberos, and generally
> > there is not an interoperability problem; the protocol is pretty well
> > specified and in general everything works fine at that level.
>
> Yes; it is expected that any implementation of the kerberos protocol can
> successfully talk to a peer running a different implementation, including
> the case where the peers differ only by software version and have a common
> lineage.
>
> > >There seems to be a change in default behavior in the 1.12+ where
> renewable
> > >tickets must be specifically requested (RHEL 7 is including the 1.12 as
> the
> > >tested krb release in platform).
> >
> > This is more of a problem, but I don't consider this an interoperability
> > issue.
>
> That sort-of calls to mind
>
> https://github.com/krb5/krb5/commit/4f551a7ec126c52ee1f8fea4c3954015b70987bd
> ,
> and makes me wonder what the actual lifetimes in the request are (and the
> max permitted by the KDC).
>
> -Ben
> ________________________________________________
> Kerberos mailing list           Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



-- 
Todd Grayson
Customer Operations Engineering
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
home help back first fref pref prev next nref lref last post