On Wed, 29 Jul 2015, Ken Hornstein wrote: > >Is there any general wisdom out there about mixed KDC/Client versions? Are > >there concerns around allowing environments drift to where a KDC would be > >on a later release than the clients? > > FWIW, we run a whole bunch of crazy versions of Kerberos, and generally > there is not an interoperability problem; the protocol is pretty well > specified and in general everything works fine at that level.
Yes; it is expected that any implementation of the kerberos protocol can successfully talk to a peer running a different implementation, including the case where the peers differ only by software version and have a common lineage. > >There seems to be a change in default behavior in the 1.12+ where renewable > >tickets must be specifically requested (RHEL 7 is including the 1.12 as the > >tested krb release in platform). > > This is more of a problem, but I don't consider this an interoperability > issue. That sort-of calls to mind https://github.com/krb5/krb5/commit/4f551a7ec126c52ee1f8fea4c3954015b70987bd, and makes me wonder what the actual lifetimes in the request are (and the max permitted by the KDC). -Ben ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos