[26920] in Athena Bugs
Re: 9.4.26 solaris: krb4 ticket expiry is way too long
daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue Aug 15 12:46:21 2006
In-Reply-To: <200608151438.k7FEcn9u026028@multics.mit.edu>
Mime-Version: 1.0 (Apple Message framework v752.2)
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-Id: <BF95FE6C-F5BB-4BE7-A814-2006AB680446@mit.edu>
Content-Transfer-Encoding: 7bit
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 15 Aug 2006 12:46:05 -0400
To: John Hawkinson <jhawk@mit.edu>
X-Spam-Score: 1.217
X-Spam-Level: * (1.217)
X-Spam-Flag: NO
Cc: bugs@mit.edu
Errors-To: bugs-bounces@mit.edu
kinit is asking for a ticket with a lifetime of 141. The resulting
credentials come back with a lifetime of 255 (in the unencrypted
part; the encrypted part may contain 141, for all I know). I believe
the KDC software is doing something wrong--not simply running old
software which is unaware of the CMU lifetime algorithm, but actually
munging the lifetime for some reason.
If you kinit -5 and then krb524init, you get tickets with the correct
lifetime, so this is an issue with direct retrieval of krb4 tickets,
not with converting krb5 tickets.
