Hello All,
I'm wondering if there isn't a problem in heimdal in the way the expiration of TGT is handled. I'm seeing this problem, I have two realms: MYFB.COM and ENG.MYFB.COM; ENG.MYFB.COM is trusting MYFB.COM, when I log on my laptop I get a TGT ticket for MYFB.COM for 10 days, then I try to ssh to a machine that use the ENG.MYFB.COM so I get a TGT for ENG.MYFB.COM: krbtgt/eng.myfb....@myfb.com But the realm for ENG.MYFB.COM is only granting TGT for 2 days, so after 2 days I have 3 (or more) tickets: 1) 1 for MYFB.COM 2) 1 TGT for ENG.MYFB.COM 3) 1 for host/myserver.eng.myfb....@eng.myfb.com tickets 2 and 3 are expired and when try one more time to ssh to my server it's failing because the expired TGT for ENG.MYFB.COM is sent to a kdc for this realm and the kdc reply indicating that the ticket is expired. I tried the same with MIT kerberos on linux (1.13) and it's working fine as the library fetches a new TGT for ENG.MYFB.COM if the existing one is expired and the main TGT is not expired. Thanks. Matthieu