[2189] in Kerberos-V5-bugs
Re: Bug in lifetime handling in krb524d
daemon@ATHENA.MIT.EDU (Ken Hornstein)
Tue Aug 27 21:56:14 1996
To: "Theodore Y. Ts'o" <tytso@MIT.EDU>
Cc: krb5-bugs@MIT.EDU
In-Reply-To: Your message of "Tue, 27 Aug 1996 18:59:31 EDT."
<9608272259.AA18124@dcl.MIT.EDU>
Date: Tue, 27 Aug 1996 21:56:03 -0400
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
>This isn't a bug. The idea is that if your V5 tickets only have 3 hours
>left, the V4 tickets that you get should also only have 3 hours left on
>them. This is similar to what happens if you get a application ticket
>from your ticket-granting ticket. All of your tickets expire at the
>same time, and all of your tickets are bounded by the expiration time of
>your ticket-granting ticket.
Well, I definately agree that's the way it _should_ work, but that's
not what is happening.
The current time is not used as the start time - the start time in the
converted V4 ticket is the start time from the V5 ticket. However,
the lifetime is calculated using the current time as the start time.
I realize this may be unclear, but let me draw out what actually happened
(the times aren't exact).
- I got a V5 ticket for AFS, starting at 10am, lifetime of 10 hours. This
ticket expired at 8pm, same as my TGT. No problem.
- At 2:30pm, I ran "aklog" again (because a new PTS group was created, but
I couldn't access it). This ticket should also expire at 8pm.
- At 3:30, I got the message, "Your token as expired".
What happened is this:
During my second request, the 5-to-4 converter received my ticket, and
calculated a ticket lifetime of 5 hours, 30 minutes. This is the expiration
time (8pm) minus the current time (2:30pm). It then sent back a ticket
that had the same start time as my original V5 ticket (10am), with a lifetime
of 5 hours, 30 minutes. This ticket expires at 3:30pm.
What should happen is either the current time should be used as the ticket
lifetime, or the start time should be used for the lifetime calculation.
At least, that's how it looks to me.
I honestly believe this is a bug. If I am wrong in my understanding of
how V4 tickets work (which is entirely possible), then I apologize.
--Ken
