Hey All,
We seem to be running into a bug and our team may have made some incorrect
assumptions when we first rolled this out. We have a few issues. These are
all performed on rhel 7.3 using packages 1.14.1-27.el7_3.
First
We are able to run “kinit –R” outside of the expiration time. The man pages
say this shouldn’t be able to occur.
Ex.
09:25:23 $ klist -ef
Ticket cache: FILE:/tmp/krb5cc_17105570
Default principal: test/bdatadevkdc01.northamerica.net@realm
Valid starting Expires Service principal
10/16/2017 09:25:17 10/16/2017 09:27:17 krbtgt/realm@realm
renew until 10/16/2017 09:31:17, Flags: FRI
Etype (skey, tkt): aes256-cts-hmac-sha1-96,
aes256-cts-hmac-sha1-96
09:25:25 $ sleep 140; date; kinit -R; klist
Mon Oct 16 09:27:59 CDT 2017
Ticket cache: FILE:/tmp/krb5cc_17105570
Default principal: test/bdatadevkdc01.northamerica.net@realm
Valid starting Expires Service principal
10/16/2017 09:28:01 10/16/2017 09:30:01 krbtgt/realm@realm
renew until 10/16/2017 09:31:17
Here the ticket lifetime is 2 mins, renew time is 6 mins. We sleep for 140
seconds and are still able to renew the ticket anyway. I believe this is a bug.
Second
This one may just be a misunderstanding on my part.
Similar situation. Ticket lifetime is 2 mins, renewable for 6. When we get to
the 5th min of the renew until time, where if we were to kinit –R again the
expiration date would be outside of that renew until time, should the ticket
expire or should the valid starting time just be updated and the expiration
time capped? We had a patched package that did things the latter way and the
regular 1.14 packages that do it the former.
Third
This may be answered in the above, but when we kinit –R in a situation like the
second problem, at the end of the renew until time so the ticket lifetime would
put it outside of that window. We see the ticket expire in 1.14, but when
doing a klist the ticket still looks valid since it shows it within the valid
starting time and expiration date. The ticket no longer functions – as
expected from the output of kinit –R, is the expired ticket displayed in any
way to klist?
Thank you for your time!
Alex H.
CONFIDENTIALITY NOTICE This message and any included attachments are from
Cerner Corporation and are intended only for the addressee. The information
contained in this message is confidential and may constitute inside or
non-public information under international, federal, or state securities laws.
Unauthorized forwarding, printing, copying, distribution, or use of such
information is strictly prohibited and may be unlawful. If you are not the
addressee, please promptly delete this message and notify the sender of the
delivery error by e-mail or you may call Cerner's corporate offices in Kansas
City, Missouri, U.S.A at (+1) (816)221-1024.
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
