So, bottom line, you think it's more an error on the Heimdal side than the MIT/Sun side.
On Apr 20, 2007, at 10:10 PM, Shawn M Emery wrote: >> 2) Is this an error that ought to be fixed on the Heimdal or the >> Sun/MIT side? I'm kind of thinking that start times should only >> be adjusted forwards, and end times > > Yes, start times can differ w/o problems, unless the REP differs > from the client's system time by more than clockskew. endtimes can > also differ as long as the REP is not greater than the REQ. But > the problem in this case is that the REP renew till time is greater > than the REQ renew till time. 4120 states that the REP renew till > time MAY be the minimum of: > > REQ renew life time > -or- > start time + principal's max renew life time > -or- > start time + policy's max renew life time Interestingly, there is some code in Heimdal that does (most of) of this, but it's commented out. > So in this case Heimdal is not using this algorithm, though it's > not a MUST. You should submit a bug to them to see if they will > fix their KDC to honor this if one hasn't already been submitted. The issue is that Heimdal is correcting the times by the 6-second offset in the client's clock (because NTP had failed on the client). I'm not disagreeing with you, but there are plausible, if possibly insufficient, reasons for the behavior. > Shawn. > -- >> should only be adjusted backwards in the server, but I haven't >> thought it all the way through. . . . and I guess I still don't feel I understand all the possible implications. If I fix this case will I suddenly break some other equally obscure case on e.g. RedHat Enterprise 2? I suppose it's better to be RFC compliant, when in doubt. Thanks for the feedback. ------------------------------------------------------------------------ The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
