Skip Menu |

Date: Sun, 12 Apr 2015 17:52:49 -0400 (EDT)
From: Roland Mainz <>
Subject: [krb5bug] Kerberos ticket expired error with lifetime remaining
CC: Greg Hudson <>



[More or less the same as Redhat bug #1208553 ("Kerberos ticket expired error with lifetime remaining")]
Kerberos TGTs with a short lifetime (<3 minutes) give problems obtaining tickets. The problem seems to be worse in krb5-1.12.x (compared to krb5-1.10.x), with a significant threshold around 120 seconds (with a TGT lifetime of 120s or less, obtaining a ticket fails 90% of the time, with a lifetime of 121s it succeeds 90% of the time, with 126s it succeeds ~100%).

Steps to Reproduce:
1. kinit -l 120s -k -t <keytab> <principal> && kvno 'host/<host>'

Actual results:
kvno: Ticket expired while getting credentials for host/<host>@<domain>

Expected results:
host/<host>@<domain>: kvno = 3

Additional info:
Time difference with the KDC is less than 0.1 seconds.
I also see the problem with krb5-1.10.x, but with much less pronounced 120s threshold.



__ . . __
(o.\ \/ /.o)
\__\/\/__/ IPA/Kerberos5 team
/O /==\ O\
(;O/ \/ \O;)

Robbert describes a scenario involving Windows Server KDCs. Were you
actually able to reproduce this using the steps followed, and did you
use a Windows KDC? I do not see the problem using a current MIT krb5

It does sound like there might be a relevant difference in behavior
between the MIT krb5 1.10 and 1.12 client code, but absent a time
differential between client and KDC (which Robbert specifically claims
does not exist), I cannot imagine what it would be.