[2257] in Kerberos-V5-bugs
Re: Bug fix: kdc.conf not being read
daemon@ATHENA.MIT.EDU (Barry Jaspan)
Mon Sep 23 12:55:12 1996
Date: Mon, 23 Sep 1996 12:45:07 -0400
From: "Barry Jaspan" <bjaspan@MIT.EDU>
To: Jon Roma <roma@uiuc.edu>
Cc: Sam Hartman <hartmans@MIT.EDU>,
Christopher Seawood
<cseawood@qualcomm.com>, krb5-bugs@MIT.EDU,
kerberos@MIT.EDU
In-Reply-To: [8086]
(In my experimentation with principals that I found that had a maximum
ticket life of 0, I was able to get kadmin to set the maximum ticket life
to negative values and for kinit to generate tickets with these bad values.
I'll document further in a separate note if this is not a known situation.)
Let me guess... you decided to set a maximum ticket lifetime of N
seconds (say, 36000, which could be 10 hours) and decided to enter the
number explicitly as -maxlife 36000 instead of using a unit as in
-maxlife "10 hours".
This will not do what you expect. The date parsing routine that
kadmin uses parses a single integer as a number of seconds since the
start of the current day (ie: just like you had entered hh:mm:ss, but
you left of the hh:mm part, and it allows you to enter an arbitrarily
large ss). It converts that to an absolute time (ie: 10:00am EST on
9/23/96) and returns it to its caller. Since the caller wants a
relative time, it then subtracts the current time from that value, and
uses it (as the max_life, say).
So, if it is currently 1pm, and you say -maxlife 36000, you will end
up with a max_life with of -10800 (negative three hours). If you said
-maxlife "36000 seconds" it would do the right thing, since then you
really are specifying a relative time and the date parser does the
right thing.
This is obviously a design flaw, because a very natural sysadmin
behavior (specifying the seconds explicitly) gives such unexpected and
confusing results. I thought we had decided on a fix for this but it
seems to have been missed; I'll make sure it gets addressed.
For now, though, if you want to specify a relative time in seconds, BE
SURE TO SPECIFY THE "seconds" KEYWORD!
Barry
