Skip Menu |
 

Subject: At Login the client is setting the renew life time to 24 hours?
KIM - set default_renewal_lifetime if KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE flag is set.

Vendor's priority - Other Bug
Vendor's patch - LHA-6325227-dont-set-renewable-life
Including the patch
diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/kim/lib/kim_options.c Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/kim/lib/kim_options.c
--- Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/kim/lib/kim_options.c 2008-11-07 11:24:45.000000000 -0800
+++ Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/kim/lib/kim_options.c 2008-11-11 17:34:02.000000000 -0800
@@ -45,7 +45,7 @@
0,
kim_default_lifetime,
kim_default_renewable,
-kim_default_renewal_lifetime,
+0,
kim_default_forwardable,
kim_default_proxiable,
kim_default_addressless,
@@ -488,8 +488,9 @@
if (!err) {
krb5_get_init_creds_opt_set_tkt_life (in_options->init_cred_options,
in_options->lifetime);
- krb5_get_init_creds_opt_set_renew_life (in_options->init_cred_options,
- in_options->renewable ? in_options->renewal_lifetime : 0);
+ if (in_options->renewal_lifetime || in_options->renewable)
+ krb5_get_init_creds_opt_set_renew_life (in_options->init_cred_options,
+ in_options->renewal_lifetime);
krb5_get_init_creds_opt_set_forwardable (in_options->init_cred_options,
in_options->forwardable);
krb5_get_init_creds_opt_set_proxiable (in_options->init_cred_options,
diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/kim/lib/kim_preferences_private.h Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/kim/lib/kim_preferences_private.h
--- Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/kim/lib/kim_preferences_private.h 2008-11-07 11:24:45.000000000 -0800
+++ Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/kim/lib/kim_preferences_private.h 2008-11-11 17:33:14.000000000 -0800
@@ -52,7 +52,6 @@

#define kim_default_lifetime 10*60*60
#define kim_default_renewable TRUE
-#define kim_default_renewal_lifetime 7*24*60*60
#define kim_default_forwardable TRUE
#define kim_default_proxiable TRUE
#define kim_default_addressless TRUE
diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/lib/krb5/krb/get_in_tkt.c Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/lib/krb5/krb/get_in_tkt.c
--- Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/lib/krb5/krb/get_in_tkt.c 2008-11-07 11:25:56.000000000 -0800
+++ Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/lib/krb5/krb/get_in_tkt.c 2008-11-11 18:20:20.000000000 -0800
@@ -1026,7 +1026,7 @@
} else {
renew_life = 0;
}
- if (renew_life > 0)
+ if (renew_life > 0 || (options->flags & KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE))
request.kdc_options |= KDC_OPT_RENEWABLE;

if (renew_life > 0) {
I'm not sure how this patch fixes a bug where ticket renewal times are 24 hours. KIM (and KLL,
which this code was copied from) is hardcoding a default of 7 days. So while this patch does
get rid of a duplicate default value, I am concerned that it is not actually fixing the bug
described in the subject line.

Also as far as code readability goes, I'd like to see the kim_default_renewal_lifetime macro
remain in the code and be set to 0 with a comment explaining that the krb5 libraries treat a
renewable lifetime of 0 as "use the default renewal lifetime" when KDC_OPT_RENEWABLE is set.
The patch just sets a 0 in the initializer structure with no explanation as to what it means. This
increases the likelihood that future programmers will break the code while trying to modify its
behavior.
On purpose to fix the problem in the subject line, just make sure that the tools behavied
consistantly.

I have no comment about the readablity.
Commented, passing back to Zhanna.