[16379] in Athena Bugs

home help back first fref pref prev next nref lref last post

Postdated ticket problems

daemon@ATHENA.MIT.EDU (Robert A Basch)
Fri Oct 2 21:10:31 1998

To: bugs@MIT.EDU
Date: Fri, 02 Oct 1998 21:10:30 EDT
From: Robert A Basch <rbasch@MIT.EDU>

I tried creating a postdated tgt, using "kinit -s HH:MM", and ran
into problems.  On IRIX 6.3, the tgt was created with a ridiculous
start time:

athena% kinit -s 23:59
Password for rbasch@ATHENA.MIT.EDU: 
athena% klist
Ticket cache: /tmp/krb5cc_p14338
Default principal: rbasch@ATHENA.MIT.EDU

Valid starting      Expires             Service principal
05 Feb 36 06:28:16  05 Feb 36 16:28:16  krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU


Kerberos 4 ticket file: /tmp/tkt_p14338
Principal: rbasch@ATHENA.MIT.EDU

  Issued              Expires             Principal
02 Oct 98 20:00:51  03 Oct 98 06:00:51  krbtgt.ATHENA.MIT.EDU@ATHENA.MIT.EDU


On Solaris, the same command failed:

athena% kinit -s 23:59
Password for rbasch@ATHENA.MIT.EDU: 
kinit: Cannot contact any KDC for requested realm while getting initial 
credentials
athena% klist
klist: No credentials cache file found (ticket cache /tmp/krb5cc_p9625)


Kerberos 4 ticket file: /tmp/tkt_p9625
Principal: rbasch@ATHENA.MIT.EDU

  Issued              Expires             Principal
02 Oct 98 20:05:51  03 Oct 98 06:05:51  krbtgt.ATHENA.MIT.EDU@ATHENA.MIT.EDU

Notice, though, that the krb4 ticket was created, valid immediately in
both cases.

I did a little investigation, and found that krb5_string_to_timestamp()
is using strptime(), with the tm struct initialized with the current time,
and assuming that strptime() will only modify members corresponding to the
given format (%R in this example).  On both Solaris and IRIX, though,
strptime() is zeroing the rest of the tm struct, so that the subsequent
mktime() gives a ridiculous result.  (Actually, on IRIX, tm_yday is
initialized to -1, apparently accounting for the difference in behavior
between the two systems).

I noticed that str_conv.c contains a "rudimentary" version of strptime()
for those systems that don't have it, so one possible solution might
be to build it without HAVE_STRPTIME; I didn't try it, though.

As for the krb4 ticket...it doesn't seem right for it to be created
immediately valid when the user asked for a postdated ticket.  Maybe
kinit could skip the try_krb4() call if the krb5 tgt has the INVALID
flag set, and try_convert524() when "kinit -v" is done.

Bob
home help back first fref pref prev next nref lref last post