[26944] in Athena Bugs
Re: 9.4.26 sun: Strange krb4 expiry problems
daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue Sep 5 13:32:50 2006
Date: Tue, 5 Sep 2006 13:32:16 -0400
Message-Id: <200609051732.k85HWGpn032678@equal-rites.mit.edu>
From: Greg Hudson <ghudson@mit.edu>
To: John Hawkinson <jhawk@mit.edu>
In-reply-to: <200608181513.k7IFDvXe000383@multics.mit.edu>
X-Spam-Score: 1.218
X-Spam-Level: * (1.218)
X-Spam-Flag: NO
Cc: bugs@mit.edu
Errors-To: bugs-bounces@mit.edu
I've been doing my own playing with renewable tickets. My conclusion
is that when you take a krb4 krbtgt ticket and use it to get a service
ticket, you go through a code path on the MIT KDC which is not using
the CMU algorithm, so it is interpreting lifetimes in flat 5-minute
increments. However, the krb524d code which gave you the krbtgt in
the first place *is* using the CMU algorithm, so it didn't give you
enough 5-minute increments to last more than about ten hour. Thus, if
your krbtgt has expired under the flat interpretation, you won't be
able to get new service tickets, and even if it hasn't expired yet,
you may get service tickets with drastically curtailed lifetimes.
The best workaround right now is to get all the krb4 service tickets
you might need at the time you renew your credentials. Since the
discuss daemon on menelaus and the zephyrd daemons etc. are all using
the CMU algorithm, you will be able to use those tickets for the full
22-or-so hours even though the KDC thinks it's only giving you a
10-or-so hour service ticket.
