I presume this is for parameters specified the "Java way", and you do the right thing when you're reading a krb5.conf file.
I can't personally think of anything where I would care about a sub-second value. OTOH the standard timeout for kinit is 1 second so it seems possible someone else might. On May 18, 2014, at 7:38 PM, Wang Weijun <weijun.w...@oracle.com> wrote: > Hi All > > I am a member of Oracle's Java SE security team, and recently we found a bug > about the inconsistency of the kdc_timeout setting between Java and other > vendors. Java does not support specifying a unit and always treats the value > as milliseconds. While the others support units and when no unit is given the > value means seconds. > > We are going to fix this bug by first supporting the "s" unit. To give a > chance for old Java users to specify milliseconds, we plan to also support > "ms". Do you think it's useful? i.e. Do customers have a requirement of > setting the timeout to be less than one second? Of course, the most difficult > thing we (Java) need to determine is what to do when there is no unit. I am > thinking of a (v>120 ? ms: s) heuristics but it could be dangerous. I am not > asking any other vendor to follow this style, but do you know how people are > setting this value? > > I do notice MIT's krb5 doc has no kdc_timeout at all. Maybe the algorithm > does not care about it anymore? > > Thanks > Max > Personal email. hbh...@oxy.edu
