Date: | Sun, 12 Apr 2015 17:52:49 -0400 (EDT) |
From: | Roland Mainz <rmainz@redhat.com> |
To: | krb5-bugs@mit.edu |
Subject: | [krb5bug] Kerberos ticket expired error with lifetime remaining |
CC: | Greg Hudson <ghudson@mit.edu> |
Hi!
----
[More or less the same as Redhat bug #1208553 ("Kerberos ticket expired error with lifetime remaining")]
Kerberos TGTs with a short lifetime (<3 minutes) give problems obtaining tickets. The problem seems to be worse in krb5-1.12.x (compared to krb5-1.10.x), with a significant threshold around 120 seconds (with a TGT lifetime of 120s or less, obtaining a ticket fails 90% of the time, with a lifetime of 121s it succeeds 90% of the time, with 126s it succeeds ~100%).
Steps to Reproduce:
1. kinit -l 120s -k -t <keytab> <principal> && kvno 'host/<host>'
Actual results:
kvno: Ticket expired while getting credentials for host/<host>@<domain>
Expected results:
host/<host>@<domain>: kvno = 3
Additional info:
Time difference with the KDC is less than 0.1 seconds.
I also see the problem with krb5-1.10.x, but with much less pronounced 120s threshold.
----
Bye,
Roland
--
__ . . __
(o.\ \/ /.o) rmainz@redhat.com
\__\/\/__/ IPA/Kerberos5 team
/O /==\ O\
(;O/ \/ \O;)