Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Ticket expires 120 seconds early?
73 views
Skip to first unread message
Robbert Eggermont
Apr 2, 2015, 9:16:19 AM4/2/15
to kerb...@mit.edu
Hi,
For some time (years) I've been using tickets with a 1 minute lifetime
(in cron jobs). Lately, this is giving me problems:
$ kinit -l 1m -k -t <keytab> <principal> && kvno 'host/<host>'
kvno: Ticket expired while getting credentials for host/<host>@<domain>
With RHEL7 (krb5-1.12.2), the problems seem to be much worse, so I did a
little experimentation which seems to indicate some kind of limit at 120s:
$ kinit -l 120s -k -t <keytab> <principal> && kvno 'host/<host>'
kvno: Ticket expired while getting credentials for host/<host>@<domain>
$ kinit -l 121s -k -t <keytab> <principal> && kvno 'host/<host>'
host/<host>@<domain>: kvno = 3
The first fails 90% of the time, the second succeeds 90% of the time.
What am I seeing here, and is it supposed to be like this?
Thanks,
Robbert
--
Robbert Eggermont Intelligent Systems
R.Egg...@tudelft.nl Electr.Eng., Mathematics & Comp.Science
+31 15 27 83234 Delft University of Technology
For some time (years) I've been using tickets with a 1 minute lifetime
(in cron jobs). Lately, this is giving me problems:
$ kinit -l 1m -k -t <keytab> <principal> && kvno 'host/<host>'
kvno: Ticket expired while getting credentials for host/<host>@<domain>
With RHEL7 (krb5-1.12.2), the problems seem to be much worse, so I did a
little experimentation which seems to indicate some kind of limit at 120s:
$ kinit -l 120s -k -t <keytab> <principal> && kvno 'host/<host>'
kvno: Ticket expired while getting credentials for host/<host>@<domain>
$ kinit -l 121s -k -t <keytab> <principal> && kvno 'host/<host>'
host/<host>@<domain>: kvno = 3
The first fails 90% of the time, the second succeeds 90% of the time.
What am I seeing here, and is it supposed to be like this?
Thanks,
Robbert
--
Robbert Eggermont Intelligent Systems
R.Egg...@tudelft.nl Electr.Eng., Mathematics & Comp.Science
+31 15 27 83234 Delft University of Technology
Stephen Carville (Kerberos List)
Apr 2, 2015, 10:34:26 AM4/2/15
to kerb...@mit.edu
My first suspicion is that the clock on the client is about 120 seconds
ahead of the KDC.
ahead of the KDC.
Robbert Eggermont
Apr 2, 2015, 10:58:32 AM4/2/15
to kerb...@mit.edu
Sorry, forgot to mention:
The time difference with the KDC is within 0.1s seconds (according to
ntpdate). The KDC runs Windows Server (if that matters?).
The time difference with the KDC is within 0.1s seconds (according to
ntpdate). The KDC runs Windows Server (if that matters?).
Stephen Carville
Apr 2, 2015, 5:49:17 PM4/2/15
to kerb...@mit.edu
My first suspicion is that the clocks on the machines are out of sync.
On 04/02/2015 06:16 AM, Robbert Eggermont [Masked] wrote:
> Hi,
>
> For some time (years) I've been using tickets with a 1 minute lifetime
> (in cron jobs). Lately, this is giving me problems:
>
> $ kinit -l 1m -k -t <keytab> <principal> && kvno 'host/<host>'
> kvno: Ticket expired while getting credentials for host/<host>@<domain>
>
> With RHEL7 (krb5-1.12.2), the problems seem to be much worse, so I did a
> little experimentation which seems to indicate some kind of limit at 120s:
>
> $ kinit -l 120s -k -t <keytab> <principal> && kvno 'host/<host>'
> kvno: Ticket expired while getting credentials for host/<host>@<domain>
> $ kinit -l 121s -k -t <keytab> <principal> && kvno 'host/<host>'
> host/<host>@<domain>: kvno = 3
>
> The first fails 90% of the time, the second succeeds 90% of the time.
>
> What am I seeing here, and is it supposed to be like this?
>
> Thanks,
>
> Robbert
>
--
Stephen Carville
1123 Park View Drive | Covina, CA 91724
626-339-5221 X1326
scar...@lerNOSPAMeta.com
=================================================
laeti vescimur nos subacturis
=================================================
On 04/02/2015 06:16 AM, Robbert Eggermont [Masked] wrote:
> Hi,
>
> For some time (years) I've been using tickets with a 1 minute lifetime
> (in cron jobs). Lately, this is giving me problems:
>
> $ kinit -l 1m -k -t <keytab> <principal> && kvno 'host/<host>'
> kvno: Ticket expired while getting credentials for host/<host>@<domain>
>
> With RHEL7 (krb5-1.12.2), the problems seem to be much worse, so I did a
> little experimentation which seems to indicate some kind of limit at 120s:
>
> $ kinit -l 120s -k -t <keytab> <principal> && kvno 'host/<host>'
> kvno: Ticket expired while getting credentials for host/<host>@<domain>
> $ kinit -l 121s -k -t <keytab> <principal> && kvno 'host/<host>'
> host/<host>@<domain>: kvno = 3
>
> The first fails 90% of the time, the second succeeds 90% of the time.
>
> What am I seeing here, and is it supposed to be like this?
>
> Thanks,
>
> Robbert
>
--
1123 Park View Drive | Covina, CA 91724
626-339-5221 X1326
scar...@lerNOSPAMeta.com
=================================================
laeti vescimur nos subacturis
=================================================
0 new messages