On Mon, 29 Oct 2012, Jeffrey Hutzelman wrote:
On Mon, 2012-10-29 at 16:57 -0500, Andrew Deason wrote:
commit 13a2d01b722969da997f1878ad176991fb0ffabc
Author: Ben Kaduk <[email protected]>
Date: Wed Oct 24 23:26:49 2012 -0400
Clarify token expiry
For krb5-based tokens, does this have any relevance for renewable
tickets? That is, if our expiration time is in 10 hours, but we are
renewable for 7 days, we want this field to specify the 'expiration
time' in 7 days from now, not 10 hours, correct? Or does that just
result in an entirely new connection because the token is effectively
entirely new? (I feel like this is obvious, but after reading this text
for a while I tend to get confused easily... :)
No, the token has to expire in 10 hours, when the ticket does. The
renewable lifetime of a ticket only tells you for how long the KDC will
let you get a new ticket by presenting the old one to the TGS.
I agree with jhutz; we must use the ticket that we have, not the ticket
that we could have.
-Ben
_______________________________________________
AFS3-standardization mailing list
[email protected]
http://lists.openafs.org/mailman/listinfo/afs3-standardization
