On 02/11/2014 04:28 AM, Arpit Srivastava wrote: > When credentials expires, and I immediately call gss_init_sec_context, I > get minor -1765328373 (Requested effective lifetime is negative or too > short) > but after 2-3 minutes, I call gss_init_sec_context again, I get expected > minor code of credentials expired.
In the first case, the KDC accepted your TGT for the TGS request (because of clock skew allowance) but calculated that the service ticket would never be valid. In the second case, the KDC rejected your TGT as expired. (At least, I think that's what is going on. The GSSAPI client code can locally generate a KRB5KRB_AP_ERR_TKT_EXPIRED error, but only if it successfully obtains a service ticket from the ccache or the KDC and then determines that it has expired.) ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
