Return-Path: Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (Postfix) with ESMTP id C12123FB88; Sun, 12 Apr 2015 18:37:35 -0400 (EDT) Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id t3CMbXNA028338; Sun, 12 Apr 2015 18:37:33 -0400 Received: from mailhub-dmz-4.mit.edu (mailhub-dmz-4.mit.edu [18.7.62.38]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id t3CLqrtX026118 for ; Sun, 12 Apr 2015 17:52:53 -0400 Received: from dmz-mailsec-scanner-4.mit.edu (dmz-mailsec-scanner-4.mit.edu [18.9.25.15]) by mailhub-dmz-4.mit.edu (8.13.8/8.9.2) with ESMTP id t3CLqq0H010272; Sun, 12 Apr 2015 17:52:52 -0400 X-Auditid: 1209190f-f79d16d000000d3d-9b-552ae9321d6b Authentication-Results: symauth.service.identifier; spf=pass; senderid=pass Received: from mx3-phx2.redhat.com (mx3-phx2.redhat.com [209.132.183.24]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-4.mit.edu (Symantec Messaging Gateway) with SMTP id 13.2D.03389.339EA255; Sun, 12 Apr 2015 17:52:52 -0400 (EDT) Received: from zmail24.collab.prod.int.phx2.redhat.com (zmail24.collab.prod.int.phx2.redhat.com [10.5.83.30]) by mx3-phx2.redhat.com (8.13.8/8.13.8) with ESMTP id t3CLqoUI016583; Sun, 12 Apr 2015 17:52:50 -0400 Date: Sun, 12 Apr 2015 17:52:49 -0400 (EDT) From: Roland Mainz To: krb5-bugs@mit.edu Message-ID: <634632348.15629437.1428875569982.JavaMail.zimbra@redhat.com> In-Reply-To: <2078702930.15629355.1428875382607.JavaMail.zimbra@redhat.com> Subject: [krb5bug] Kerberos ticket expired error with lifetime remaining MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-Ip: [10.10.62.135] X-Mailer: Zimbra 8.0.6_GA_5922 (ZimbraWebClient - FF29 (Linux)/8.0.6_GA_5922) Thread-Topic: Kerberos ticket expired error with lifetime remaining Thread-Index: Oi4M1t1Ms34nBO1QKTTu9JoKzz62Hg== X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrBKsWRWlGSWpSXmKPExsVysWW7hK7JS61Qg7/LWC2uzdzLYtHw8Di7 A5NH05mjzAGMUVw2Kak5mWWpRfp2CVwZG3e0MRV0cVQ0/TjE3sC4ma2LkYNDQsBE4vYapi5G Tg5GAW+JN1ePs4PYEgJiEhfurQcq4eIQEtjOJLFw90EmCOcao8TS3X9YQKpYBLQlzux6xwhi swmoSXz5dB+sW0RAVOLl32NgNcwCihJbF28G28Ar4Clxvec3WA0n0LamZU/BaoQFPCSm/Z/D DFEjKHFy5hOoXnWJP/MuMUPY8hLb30LUSAgoSCy91c8IYftKHJm8jQlir7PE0qe3mSFsPYln N34wTWAUnoVk7CwkY2chGbuAkXkVo2xKbpVubmJmTnFqsm5xcmJeXmqRrolebmaJXmpK6SZG YJALcUry72D8dlDpEKMAB6MSD++FO1qhQqyJZcWVuYcYJTmYlER53z8HCvEl5adUZiQWZ8QX leakFh9ilOBgVhLhnTEPKMebklhZlVqUD5OS5mBREufd9IMvREggPbEkNTs1tSC1CCbLxMF+ iFGPg0Ng9rrVFxgFOn9P+sgoxZKXn5eqJMF7DmSXYFFqempFWmZOCbIuThDBBbKYB2jxbZBC 3uKCxNzizHSIolOMxhwTHvxaxMRxbF3jYiYhsJlS4rzfQEoFQEozSvPgRsIS3CVGWSlhXkYG BgYhHqArgYGDKv+KURwYMMK84S+ApvBk5pXA7XsFdAoT0ClZKmCnlCQipKQaGOt06sX+5u1l Xd98p8Tu8GOJi4vE1euk7jzqnxhqVzaVvfDDvUlKM75xdM91P37nQNlZvlMLWCVNHi6bq3X7 n6WPlQADN8usjXzLbA7G5j5rXqj9RNgxe9+iKceLxI6uS/1oLVn6deIs+V8Ss5ZmJ7rWM8yI 3hC053ZmTs1vhtOZPyT87Z8cbFJiKc5INNRiLipOBAAL5yq4awMAAA== X-Mailman-Approved-At: Sun, 12 Apr 2015 18:37:32 -0400 CC: Greg Hudson X-Beenthere: krb5-bugs-incoming@mailman.mit.edu X-Mailman-Version: 2.1.6 Precedence: list Sender: krb5-bugs-incoming-bounces@PCH.mit.edu Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu Content-Length: 1002 Hi! ---- [More or less the same as Redhat bug #1208553 ("Kerberos ticket expired error with lifetime remaining")] Kerberos TGTs with a short lifetime (<3 minutes) give problems obtaining tickets. The problem seems to be worse in krb5-1.12.x (compared to krb5-1.10.x), with a significant threshold around 120 seconds (with a TGT lifetime of 120s or less, obtaining a ticket fails 90% of the time, with a lifetime of 121s it succeeds 90% of the time, with 126s it succeeds ~100%). Steps to Reproduce: 1. kinit -l 120s -k -t && kvno 'host/' Actual results: kvno: Ticket expired while getting credentials for host/@ Expected results: host/@: kvno = 3 Additional info: Time difference with the KDC is less than 0.1 seconds. I also see the problem with krb5-1.10.x, but with much less pronounced 120s threshold. ---- Bye, Roland -- __ . . __ (o.\ \/ /.o) rmainz@redhat.com \__\/\/__/ IPA/Kerberos5 team /O /==\ O\ (;O/ \/ \O;)