[1330] in Kerberos_V5_Development
V4 vs. V5 principal expiration
daemon@ATHENA.MIT.EDU (Barry Jaspan)
Tue Jun 18 12:06:31 1996
Date: Tue, 18 Jun 96 12:06:11 -0400
From: "Barry Jaspan" <bjaspan@MIT.EDU>
To: krbdev@MIT.EDU
A principal in the KDC database has an expiration field of 0:
kadmin.local: getprinc testuser
Principal: testuser@SECURE-TEST.OV.COM
Expiration date: Wed Dec 31 19:00:00 EST 1969
<rest of entry deleted>
The V5 KDC issues a ticket for the principal, but a V4 request for the
same principal returns "principal expired":
Jun 18 12:00:22 6E:beeblebrox krb5kdc[21625]: AS_REQ 127.0.0.1(1750): ISSUE: authtime 835113622, testuser@SECURE-TEST.OV.COM for krbtgt/SECURE-TEST.OV.COM@SECURE-TEST.OV.COM
Jun 18 11:56:34 6E:beeblebrox krb5kdc[21625]: PROCESS_V4:Initial ticket request Host: 18.177.1.29 User: "testuser" ""
Jun 18 11:56:34 3E:beeblebrox krb5kdc[21625]: PROCESS_V4:EXPIRED "testuser" "" 31-Dec-69 19:00:00
Looking at the code, kerberos_v4.c clearly does not have an exception
for an expiration time of zero meaning "never":
if ((u_long) p->exp_date < (u_long) kerb_time.tv_sec) {
/* service did expire, log it */
...
}
The strange thing is that I found this problem with OV's V4 admin
server unit tests, but these tests used to work at OV. Did the V4 KDC
compatibility change in this respect? Perhaps OV's default expiration
time for principals used to be ~0, not 0 as it is now. Hmmm.
Barry
