I'm wondering if there isn't a problem in heimdal in the way the expiration of
TGT is handled.
I'm seeing this problem, I have two realms: MYFB.COM and ENG.MYFB.COM;
ENG.MYFB.COM is trusting MYFB.COM, when I log on my laptop I get a TGT ticket
for MYFB.COM for 10 days, then I try to ssh to a machine that use the
ENG.MYFB.COM so I get a TGT for ENG.MYFB.COM:
But the realm for ENG.MYFB.COM is only granting TGT for 2 days, so after 2 days
I have 3 (or more) tickets:
1) 1 for MYFB.COM
2) 1 TGT for ENG.MYFB.COM
3) 1 for host/myserver.eng.myfb....@eng.myfb.com
tickets 2 and 3 are expired and when try one more time to ssh to my server it's
failing because the expired TGT for ENG.MYFB.COM is sent to a kdc for this
realm and the kdc reply indicating that the ticket is expired.
I tried the same with MIT kerberos on linux (1.13) and it's working fine as the
library fetches a new TGT for ENG.MYFB.COM if the existing one is expired and
the main TGT is not expired.