[OpenAFS] token lifetime

Jayen Ashar jayen@science.unsw.edu.au
Sat, 14 Jul 2012 20:42:24 +1000

On Fri, Jul 6, 2012 at 6:08 PM, Jeffrey Altman
<jaltman@secure-endpoints.com> wrote:
> The code in question is tkt_DecodeTicket5() in src/rxkad/ticket5.c and
> tkt_CheckTimes() in src/rxkad/ticket.c.    If the 'end' value is not
> exactly NEVERDATE (0xFFFFFFFF) and ('end' - 'start' is greater than
> 30 days, the token will be rejected.

I managed to make the 'end' value exactly NEVERDATE from the kerberos
server, but the client assumes it is an error:
Kerberos error code returned by get_cred : 1859794432
aklog: Couldn't get storm.ccrc.unsw.edu.au AFS tickets:
aklog: Unknown code asn1 0 (1859794432) while getting AFS tickets

Works as expected with 0xFFFFFFFE and 0, though.  (The ticket is
expired and so there are no tokens.)

Guess 30 days is the limit.