On Thu, 4 Sep 2014, Brett Randall wrote: > Initially I had checked kdc.conf, but of course clockskew is declared > in krb5.conf, and I found my KDC had a (non-default) setting of > clockskew = 3600 (1 hour). If I wait the full hour, the renewal is > then rejected as expected.
The KDC merges krb5.conf and kdc.conf into a single "profile"; there is no distinction made between which file a variable is set in. (I do not consider here the case where a variable is set in both files.) > Needless to say this caught me out. When I was reading the main > documentation about ticket expiry, I didn't readily find any > cross-references to clockskew and grace periods. What is interesting > is that even though the client and KDC clocks are synced to the > second, the grace period is still applied. The KDC cannot really know that the clocks are synchronized, so the grace period must always be applied. -Ben Kaduk ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos