cTime and KrbError

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

cTime and KrbError

Luke Hebert
Hi,

So I've been searching around trying to understand cTime. While dealing
with a ticket renewal issue. I know that this is supposed to be the
client's current time. The question is what conditions cause cTime to print
out in Java debug as being from 1981. This isn't the start of epoch.

My assumption looking at the RFC for KRBError would suggest to me that
something went wrong and the authenticator could not decode the request and
the fields are omitted in the Error response. Thus resulting in a default
value being printed for what would be a time based field.







*>>> KDCRep: init() encoding tag is 126 req type is 13>>>KRBError:
 cTime is Fri Jan 02 13:51:06 CST 1981 347262666000         sTime is Sun
May 10 15:53:51 CST 2020 1589097231000         suSec is 15151         error
code is 32         error Message is Ticket expired*



*--Luke Hebert* | Customer Operations and Support
cloudera.com <https://www.cloudera.com>


------------------------------
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: cTime and KrbError

Greg Hudson
On 5/19/20 10:56 AM, Luke Hebert wrote:
> So I've been searching around trying to understand cTime. While dealing
> with a ticket renewal issue. I know that this is supposed to be the
> client's current time. The question is what conditions cause cTime to print
> out in Java debug as being from 1981. This isn't the start of epoch.
>
> My assumption looking at the RFC for KRBError would suggest to me that
> something went wrong and the authenticator could not decode the request and
> the fields are omitted in the Error response. Thus resulting in a default
> value being printed for what would be a time based field.

For a KRB-ERROR resulting from a TGS request, the MIT krb5 KDC would
normally omit the ctime and cusec fields.  It looks like a Heimdal KDC
would copy them from the request authenticator.  I don't know what
Microsoft KDCs do.

347262666 does not seem like a recognizable default value; I have no
idea where it could be coming from.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: cTime and KrbError

Luke Hebert
Hi Greg,

Thanks for the response, this helps either way. I've been poking around
trying to figure out where this 347262666 value is coming from myself. It
might be something in our code base somewhere that I haven't been able to
track down.


*--Luke Hebert* | Customer Operations and Support
cloudera.com <https://www.cloudera.com>

------------------------------


On Tue, May 19, 2020 at 1:39 PM Greg Hudson <[hidden email]> wrote:

> On 5/19/20 10:56 AM, Luke Hebert wrote:
> > So I've been searching around trying to understand cTime. While dealing
> > with a ticket renewal issue. I know that this is supposed to be the
> > client's current time. The question is what conditions cause cTime to
> print
> > out in Java debug as being from 1981. This isn't the start of epoch.
> >
> > My assumption looking at the RFC for KRBError would suggest to me that
> > something went wrong and the authenticator could not decode the request
> and
> > the fields are omitted in the Error response. Thus resulting in a default
> > value being printed for what would be a time based field.
>
> For a KRB-ERROR resulting from a TGS request, the MIT krb5 KDC would
> normally omit the ctime and cusec fields.  It looks like a Heimdal KDC
> would copy them from the request authenticator.  I don't know what
> Microsoft KDCs do.
>
> 347262666 does not seem like a recognizable default value; I have no
> idea where it could be coming from.
>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos