I am doing a small experiment and noticed something interesting.
My KDC is configured with max_life = 30s and max_renewable_life = 1m. I use kinit and password to get a TGT, and then I renew it again and again with "kinit -R".
It looks normal in the first few calls as the expiration time increases and the renew until time keeps unchanged. Then when the expiration time is bigger than the renew until time, the renew until time does not show anymore. I checked the bits in the ticket and it is indeed missing. The ticket is still RENEWABLE.
Then I do a final renew and the KDC reports "Ticket expired". I think this is due to the check at
On 08/23/2017 03:46 AM, Weijun Wang wrote:
> This is not serious at all, but I wonder if the renew until time should not be removed at the 2nd last renew or the ticket should not be renewable, or it should not be rejected at the last renew.
This behavior appears to be a bug. The intent of the code is to issue a
non-renewable ticket in this case, although we should consider whether
to instead issue a trivially renewable ticket (in this case and in other
cases where a renewable ticket is requested but the computed renew_till
<= till). I filed a ticket here: