[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

kerberos5.c check_tgs_flags problem

To: heimdal-discuss@sics.se
Subject: kerberos5.c check_tgs_flags problem
From: Derrick J Brashear <shadow@dementia.org>
Date: Fri, 28 Jul 2000 23:27:08 -0400 (EDT)
Sender: owner-heimdal-discuss@sics.se

>From RFC1510 section 3.3.3. Generation of KRB_TGS_REP message
   If the request specifies an endtime, then the endtime of the new
   ticket is set to the minimum of (a) that request, (b) the endtime
   from the TGT, and (c) the starttime of the TGT plus the minimum of
   the maximum life for the application server and the maximum life for
   the local realm (the maximum life for the requesting principal was
   already applied when the TGT was issued).  If the new ticket is to be
   a renewal, then the endtime above is replaced by the minimum of (a)
   the value of the renew_till field of the ticket and (b) the starttime
   for the new ticket plus the life (endtimestarttime) of the old
   ticket.


In check_tgs_flags:
    if(f.renew){
        time_t old_life;
        if(!tgt->flags.renewable || tgt->renew_till == NULL){
            kdc_log(0, "Request to renew non-renewable ticket");
            return KRB5KDC_ERR_BADOPTION;
        }
        old_life = tgt->endtime;
        if(tgt->starttime)
            old_life -= *tgt->starttime;
        else
            old_life -= tgt->authtime;
        et->endtime = min(*b->till, *et->starttime + old_life);
    }

I think that last line should read:
et->endtime = min(*et->renew_till, *et->starttime + old_life);

(e.g. be pulled from *b->rtime)

-D

Follow-Ups:
- Re: kerberos5.c check_tgs_flags problem
  - From: Assar Westerlund <assar@sics.se>

Prev by Date: Re: LDAP and Kerberos
Next by Date: Re: kerberos5.c check_tgs_flags problem
Prev by thread: Re: Problems with kpasswd
Next by thread: Re: kerberos5.c check_tgs_flags problem
Index(es):
- Date
- Thread