[26945] in Athena Bugs
Re: 9.4.26 sun: Strange krb4 expiry problems
daemon@ATHENA.MIT.EDU (John Hawkinson)
Tue Sep 5 13:41:06 2006
Date: Tue, 5 Sep 2006 13:40:23 -0400
From: John Hawkinson <jhawk@mit.edu>
To: Greg Hudson <ghudson@mit.edu>
Message-ID: <20060905174023.GE8311@multics.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200609051732.k85HWGpn032678@equal-rites.mit.edu>
X-Spam-Score: 1.217
X-Spam-Level: * (1.217)
X-Spam-Flag: NO
Cc: bugs@mit.edu
Errors-To: bugs-bounces@mit.edu
Greg Hudson <ghudson@MIT.EDU> wrote on Tue, 5 Sep 2006
at 13:32:16 -0400 in <200609051732.k85HWGpn032678@equal-rites.mit.edu>:
> The best workaround right now is to get all the krb4 service tickets
> you might need at the time you renew your credentials. Since the
> discuss daemon on menelaus and the zephyrd daemons etc. are all using
> the CMU algorithm, you will be able to use those tickets for the full
> 22-or-so hours even though the KDC thinks it's only giving you a
> 10-or-so hour service ticket.
Since the overhead of ticket renewal is low, I think the better workaround
is the one that produces the least confusion, which is to renew
tickets every 7 hours. Then you never get in the situation where
klist is "lying" to you, etc.
What's the reporting path for getting the Kerberos server maintainers
aware of this problem?
--jhawk
