>>>>> "kwc" == kwc@citi umich edu via RT <rt-comment@krbdev.mit.edu> writes:

kwc> 1) We have many Windows AFS clients which use the default
kwc> authentication code found there.  This code, unlike all the
kwc> other AFS authentication code, uses K4 UDP instead of rx.
kwc> The AFS K4 code checks the issue time of the ticket it gets
kwc> back and compares it to its local time.  If those times are
kwc> more than " clock skew" off, it fails with a clock skew error.
kwc> The adjustment of the the issue time (kerb_time.tv_sec) causes
kwc> the Windows AFS client to fail with a clock skew error.

The backwards adjustment of issue time is meant to expire the krb4
ticket at the same time as an equivalent krb4 ticket would expire.  I
suppose we could round the lifetime down if necessary, though that
would cause tickets to expire much sooner than expected if you're in
the exponential lifetime region.

kwc> 2) The krb_life_to_time() routine returns 0xffffffff when the
kwc> requested lifetime is "unlimited" (0xff in the request).  So
kwc> v4endtime becomes 0xffffffff.  When this is used in the min()
kwc> functions, -1 is found to be the minimum.  Thus a ticket with
kwc> an end time of 0xffffffff is returned.  This lifetime should
kwc> be limited by the life of the TGT and the service's lifetime.

Are you mixing krb4 implementations?  The version of
krb_life_to_time() that is in krb5-1.3.1 does not return 0xffffffff
for a requested lifetime of 0xff.

---Tom