Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
Subject: krb5_get_init_creds() allows renew_until time < expiration time
X-RT-Original-Encoding: iso-8859-1
Content-Length: 727

krb5_get_init_creds() should not allow ticket requests where the renew_until time is less 
than the ticket expiration time.  This can easily happen if the user has a default
renew_lifetime in libdefaults.  

For example, if the user's renew_lifetime is set to 7 days in libdefaults and then the user runs 
"kinit -l 10d", then krb5_get_init_creds() will end up with a renew_until time less than the 
ticket expiration time without explicitly doing anything stupid.  

I believe a correct way to fix this is to add a check so that if this case happens, 
krb5_get_init_creds() sets the renew_until time to the larger lifetime.  Ie:

        if (request.rtime < request.till) {
            request.rtime = request.till;
        }