>I'm not sure that your interpretation of this code snippet is correct: Always a possibility, I will freely admit :-)
>> until = (request->till == 0) ? kdc_infinity : request->till; >> enc_tkt_reply.times.endtime = >> min(until, min(enc_tkt_reply.times.starttime + server.max_life, >> min(enc_tkt_reply.times.starttime + max_life_for_realm, >> header_ticket->enc_part2->times.endtime))); > >The line immediately above what you've quoted is: > > enc_tkt_reply.times.starttime = kdc_time; > >(in other words, "now"; kdc_time is gotten from krb5_timeofday earlier >in the function). Hm, I believe you are right. I was confusing enc_tkt_reply with header_ticket. Sorry about that. >So if it doesn't work in recent MIT versions, either it was fixed in DCE >and didn't get propagated back to MIT (which, unfortunately, happened on >occasion) or it got broken in the MIT code since the early 1.1 beta >days. I admit that I haven't done a test to verify this with a recent >MIT drop, since I've set up 24-hour lifetimes for both TGTs and service >tickets in my local testing config. However ... it's important to note that it will still cause problems in the "vanilla" case, since the MIT client code won't fetch a new ticket from the KDC if the one in the credential cache has expired. I'm SURE that used to be a problem (it bit us for a while), and a code inspection shows me that it's still the case (but hey, as demonstrated above, I've been wrong before). --Ken ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
