524 problems with 1.3.4, and historical issues

[Daniel Henninger]

Howdy folk,
For quite some time now, we have had to make 'minor' hacks to the Kerberos 
base code to get it to behave nicely in our environment.  In the 1.2.* 
series, the hack was basically to take the following:
          if (lifetime > 127) {
              /* use the CMU algorithm instead: */
              long *clist = cmu_seconds;
              while(*clist && *clist < deltatime) clist++;
              lifetime = 128 + (clist - cmu_seconds);
          }
out of src/krb524/cnv_tkt_skey.c.  This code caused us to get krb4 tickets 
that had far shorter lifetimes than the "rest of the tickets".  (tgts and 
such)  One easy place to notice this was with Zephyrs.

So now we are attempting to move to 1.3.4.  I see that specific piece of 
code no longer exists.  Now, instead of getting a shorter zephyr ticket, I 
get:
ghidora 5.8 [10:33am] <1> ...src> zwrite daniel
zwrite: Kerberos error: time is out of bounds while sending notice to daniel

??  The rest of my tickets seem fine at the moment:
Ticket cache: FILE:/tmp/krb5cc_daniel_:0.1
Default principal: [EMAIL PROTECTED]
Valid starting     Expires            Service principal
07/14/04 10:26:12  07/15/04 07:41:12  krbtgt/[EMAIL PROTECTED]
07/14/04 10:26:13  07/15/04 07:41:12  afs/[EMAIL PROTECTED]
07/14/04 10:26:14  07/15/04 07:41:12  afs/[EMAIL PROTECTED]
07/14/04 10:26:14  07/15/04 07:41:12  afs/[EMAIL PROTECTED]
07/14/04 10:28:34  07/15/04 07:41:12  imap/[EMAIL PROTECTED]
07/14/04 10:28:36  07/15/04 07:41:12  imap/[EMAIL PROTECTED]
Kerberos 4 ticket cache: /tmp/tkt_daniel_:0.1
Principal: [EMAIL PROTECTED]
  Issued              Expires             Principal
07/14/04 10:26:12  07/15/04 07:41:12  [EMAIL PROTECTED]
So I attempted to define "SHORT_LIFETIME" in 
lib/src/krb5/krb/v4lifetime.c, after looking at the code.  I thought I'd 
give it a whirl.  That kills the out of bounds error message, but doesn't 
give me a full length ticket:
07/14/04 10:11:39  07/14/04 21:46:39  [EMAIL PROTECTED]


So my question here is, what are we doing different from you all up in 
MIT?  Why are we running into these issues and you are not?  Am I 
overlooking some sort of configuration problem?  Do you all not use krb4 
at all anymore?  Thanks!

Daniel
--
/\\\----------------------------------------------------------------------///\
\ \\\      Daniel Henninger           http://www.vorpalcloud.org/        /// /
 \_\\\      North Carolina State University - Systems Programmer        ///_/
    \\\                   Information Technology <IT>                  ///
     """--------------------------------------------------------------"""
________________________________________________
Kerberos mailing list           [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos