handling of expired TGT ticket in heimdal krb5 lib

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

handling of expired TGT ticket in heimdal krb5 lib

Matthieu Patou

Hello All,


I'm wondering if there isn't a problem in heimdal in the way the expiration of TGT is handled.

I'm seeing this problem, I have two realms: MYFB.COM and ENG.MYFB.COM; ENG.MYFB.COM is trusting MYFB.COM, when I log on my laptop I get a TGT ticket for MYFB.COM for 10 days, then I try to ssh to a machine that use the ENG.MYFB.COM so I get a TGT for ENG.MYFB.COM:


krbtgt/[hidden email]


But the realm for ENG.MYFB.COM is only granting TGT for 2 days, so after 2 days I have 3 (or more) tickets:


1) 1 for MYFB.COM

2) 1 TGT for ENG.MYFB.COM

3) 1 for host/[hidden email]


tickets 2 and 3 are expired and when try one more time to ssh to my server it's failing because the expired TGT for ENG.MYFB.COM is sent to a kdc for this realm and the kdc reply indicating that the ticket is expired.


I tried the same with MIT kerberos on linux (1.13) and it's working fine as the library fetches a new TGT for ENG.MYFB.COM if the existing one is expired and the main TGT is not expired.


Thanks.

Matthieu