[OpenAFS] WXP 1.2.9a client to 1.3 K5 KDC
John W. Sopko Jr.
sopko@cs.unc.edu
Mon, 28 Jul 2003 15:00:41 -0400
I am running:
- Kerberos 5 KDC version 1.3
- fakeka and krb524 are running
- OpenAFS 1.2.9a test cell under Red Hat 9
- Open AFS windows client version 1.2.9a on Windows XP
I can kinit/aklog on linux and solaris without any
problems. I can klog to the fakeka server, no problems.
As we know the windows client talks to the K5 KDC over port 750. I can
get a token for 10 hours 40 minutes (10:40) on the Windows client. If I
set the principals -maxlife time in the K5 KDC to 10:41 or greater when
getting a token from the Windows XP client I get an error:
Error: 37(server and client are badly skewed)
I know my clocks are within 100 milli seconds and I do not have the
problem if I set the -maxlife below 10:41.
I had a similar token lifetime problem with Kerberos 1.2.7 where if I
set the -maxlife greater then 20 hours (20:00) I would get a token good
until 1/1/1601.
I was hoping Kerberos 1.3 would fix the problem, it just changed it.
Can anyone else verify this?
The KDC krb5kdc.log log file shows no difference between the error and
non error cases when getting a token, see below. There are no events
logged in the Windows event logs on the client.
Error: (-maxlife 10:41)
------
Jul 28 14:22:16 kfive.cs.unc.edu krb5kdc[16417](info):
PROCESS_V4:Initial ticket request Host: 152.2.142.104 User: "sopkox" ""
Jul 28 14:22:16 kfive.cs.unc.edu krb5kdc[16417](info):
PROCESS_V4:INITIAL request from sopkox. for afs.
No Error: (-maxlife 10:40)
---------
Jul 28 14:23:37 kfive.cs.unc.edu krb5kdc[16417](info):
PROCESS_V4:Initial ticket request Host: 152.2 .142.104 User: "sopkox" ""
Jul 28 14:23:37 kfive.cs.unc.edu krb5kdc[16417](info):
PROCESS_V4:INITIAL request from sopkox. for afs.
--
John W. Sopko Jr. University of North Carolina
email: sopko@cs.unc.edu Computer Science Dept., CB 3175
Phone: 919-962-1844 Sitterson Hall; Room 044
Fax: 919-962-1799 Chapel Hill, NC 27599-3175