Can someone confirm this?

There appears to be is a minor bug in the lifetime logic in
krb524/cnv_tkt_skey.c. It would appear that the intent of the code was
to generate a kerberos 4 ticket with the same expiration time as the 
kerberos 5 ticket, adjusting the starttime such that it may be earlier
than the actual starttime. If so, then the current code is only an
appro does not give you these results. I could be wrong about the
intent, the comments a somewhat unclear, but this objective would make
sense, at least to me.

I'm submitting two patches for your review.

The first patch was tested with a build of krb524d and a piece of
client code that examines the sealed portion of an AFS token using
ktc_GetToken, afsconf_GetKey, tkt_DecodeTicket on the client side to
examine the sealed part of the AFS token. The second patch was
tested with an application that acquires AFS tokens by way of 524
using the second patch attached.

Thanks.