|Date:||Sun, 12 Apr 2015 17:52:49 -0400 (EDT)|
|From:||Roland Mainz <email@example.com>|
|Subject:||[krb5bug] Kerberos ticket expired error with lifetime remaining|
|CC:||Greg Hudson <firstname.lastname@example.org>|
[More or less the same as Redhat bug #1208553 ("Kerberos ticket expired error with lifetime remaining")]
Kerberos TGTs with a short lifetime (<3 minutes) give problems obtaining tickets. The problem seems to be worse in krb5-1.12.x (compared to krb5-1.10.x), with a significant threshold around 120 seconds (with a TGT lifetime of 120s or less, obtaining a ticket fails 90% of the time, with a lifetime of 121s it succeeds 90% of the time, with 126s it succeeds ~100%).
Steps to Reproduce:
1. kinit -l 120s -k -t <keytab> <principal> && kvno 'host/<host>'
kvno: Ticket expired while getting credentials for host/<host>@<domain>
host/<host>@<domain>: kvno = 3
Time difference with the KDC is less than 0.1 seconds.
I also see the problem with krb5-1.10.x, but with much less pronounced 120s threshold.
__ . . __
(o.\ \/ /.o) email@example.com
\__\/\/__/ IPA/Kerberos5 team
/O /==\ O\
(;O/ \/ \O;)