handling of expired TGT ticket in heimdal krb5 lib

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

handling of expired TGT ticket in heimdal krb5 lib

Matthieu Patou

Hello All,

I'm wondering if there isn't a problem in heimdal in the way the expiration of TGT is handled.

I'm seeing this problem, I have two realms: MYFB.COM and ENG.MYFB.COM; ENG.MYFB.COM is trusting MYFB.COM, when I log on my laptop I get a TGT ticket for MYFB.COM for 10 days, then I try to ssh to a machine that use the ENG.MYFB.COM so I get a TGT for ENG.MYFB.COM:

krbtgt/[hidden email]

But the realm for ENG.MYFB.COM is only granting TGT for 2 days, so after 2 days I have 3 (or more) tickets:

1) 1 for MYFB.COM


3) 1 for host/[hidden email]

tickets 2 and 3 are expired and when try one more time to ssh to my server it's failing because the expired TGT for ENG.MYFB.COM is sent to a kdc for this realm and the kdc reply indicating that the ticket is expired.

I tried the same with MIT kerberos on linux (1.13) and it's working fine as the library fetches a new TGT for ENG.MYFB.COM if the existing one is expired and the main TGT is not expired.