Thanks Greg and Niko I am using MIT Kerberos at client side and AD as KDC.
I am using 8 hrs lifetime for TGT. Now, When I increase the time at client side, say 2015, I get following error codes. gss_inquire_cred maj_stat = 720896, min_stat = 100001 gss_init_sec_context maj_stat = 851968, min_stat = 100005 When I decrease the time at client side, say 2013, I get following error codes. gss_inquire_cred maj_stat = 0, min_stat = 0 gss_init_sec_context maj_stat = 851968, min_stat = 100005 How to handle such situations ? because I am not getting clock skew error even once (I get it only at the time of kinit). Pls advice how to handle clock-related problems at client-side. Arpit On Thu, Feb 6, 2014 at 1:17 AM, Nico Williams <[email protected]> wrote: > On Wed, Feb 5, 2014 at 11:05 AM, Greg Hudson <[email protected]> wrote: > > This could all work better if krb5 had used a ticket lifetime instead of > > an end time (like krb4 did, but without the crazy 8-bit representation > > of the lifetime). But the protocol was designed under the assumption > > that clients, servers, and KDCs would all have mostly synchronized > > clocks, so it went with the simplification of always using absolute > > timestamps and never relative intervals. > > And yet implementation-wise relative times are still needed... I > agree, 'twould have been better to have relative lifetime. > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
