On Monday, May 07, 2007 06:44:41 PM -0700 "Henry B. Hotz" <hotz at jpl.nasa.gov> wrote:
> Thanks very much for the detailed analysis. I'll submit a bug report to > MIT based on it. > > In the mean time, I expect I still need to patch Heimdal KDC to avoid > the situation. It'll be a while before any MIT fix makes it into the > deployed client base. Indeed. It seems like the simplest change for your situation would be to make the KDC simply ignore the RENEWABLE_OK option. If you do that, the KDC should never issue a ticket with renew_till later than requested by the client. -- Jeff
