[resend with proper tagged From address] On Wed, Jun 09, 2010 at 12:15:36PM -0400, Greg Hudson wrote: > I think the most practical fix for your problem is to make the Heimdal > KDC more forgiving--it should not squash the validity end time of the > ticket simply because it calculated a lower maximum renewable end time.
Thanks for the more precise ID of the problem. The Heimdal KDC should probably use a more reasonable start time if it's going to calculate lifetimes. > If I were a Heimdal developer, I'd propose removing this line from > krb5tgs.c: > > et.endtime = min(et.endtime, *et.renew_till); Thanks. I'll test it and pursue that fix or a similar one. > I'm certainly happy to change the MIT krb5 client code to not request > renewable service tickets, and I'll bring that up on the krbdev list. > But it's much easier to change your KDC than to change your OS-native > client code on every client. Jeffrey Altman pointed out that my assumption of always having the TGT around when using the ftp service ticket is incorrect. Having a renewable service ticket without requiring keeping/passing around the TGT can be safer, and I'd thus be hesitant to have others lose that option. Richard ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
