[36367] in Kerberos
krb5_timeofday() and krb5_get_time_offsets() usage
daemon@ATHENA.MIT.EDU (Petr Spacek)
Wed Aug 13 05:15:16 2014
Message-ID: <53EB2C88.9070007@redhat.com>
Date: Wed, 13 Aug 2014 11:14:48 +0200
From: Petr Spacek <pspacek@redhat.com>
MIME-Version: 1.0
To: Kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hello,
I would like to head your recommendation about correct
krb5_timeofday()/krb5_get_time_offsets() usage.
Example:
- An application calls krb5_get_init_creds_keytab() during start up and then
uses the ticket for a long time.
- The application later uses krb5_cc_retrieve_cred() to get
creds.times.endtime value and to check that the ticket is still valid.
- The goal is to make sure that the ticket is still valid before any attempt
to use it.
Is it enough to do something like this?
#define GUARD_TIME 300
krb5_timestamp now;
krb5_creds creds;
krb5_cc_retrieve_cred(context, ccache, 0, &mcreds, &creds);
krb5_timeofday(context, &now);
if (now > (creds.times.endtime - GUARD_TIME)) {
log("Credentials in cache expired");
renew_ticket();
}
I can see that krb5_timeofday() from krb5-libs-1.11 does time offset
correction automatically for seconds but not for microseconds.
Does it mean that application should do microseconds correction on it's own? E.g.:
krb5_timeofday(context, &now);
krb5_get_time_offsets(context, &kdc_time_offset, &kdc_time_offset_usec);
if (kdc_time_offset_usec > 0)
now++;
else if (kdc_time_offset_usec < 0)
now--;
Or - would it be possible to handle microseconds correction inside
krb5_timeofday()?
(I hope that I understood the semantics correctly, currently I don't see any
krb5_set_time_offsets() call with non-zero microseconds parameter.)
Thank you for your time.
--
Petr Spacek @ Red Hat
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
