In kt_renewer, it does two things in quick succession to work around kerberos keytab compatibility issue:
- kinit -k -t <keytab> -c <cache> <princ>
- kinit -R -c <cache>
The first command gives us this ticket:
When the KDC doesn't allow renewal, this becomes a race. (At least on kerberos version 1.9-22.el6_2.1.x86_64.) Note that in the ticket above, the renewal lifetime is the same as the start time, which means you can't renew. But the ticket itself is good for another 24 hours.
If you add a delay between the two commands, the renewal (2nd command) will fail as expected. But if the second command runs immediately, it will succeed because the clock granularity is 1 sec. And unfortunately, when the second command succeeds, it'll make the ticket invalid (note the expiration time):