Details
-
Type:
Bug
-
Status: Resolved
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 1.2.0
-
Fix Version/s: 2.0.0-beta
-
Component/s: core.api
-
Labels:None
-
Target Version:
Description
In kt_renewer, it does two things in quick succession to work around kerberos keytab compatibility issue:
- kinit -k -t <keytab> -c <cache> <princ>
- kinit -R -c <cache>
The first command gives us this ticket:
Valid starting Expires Service principal
03/22/12 00:35:24 03/23/12 00:35:24 krbtgt/VBOX.COM@VBOX.COM
renew until 03/22/12 00:35:24
When the KDC doesn't allow renewal, this becomes a race. (At least on kerberos version 1.9-22.el6_2.1.x86_64.) Note that in the ticket above, the renewal lifetime is the same as the start time, which means you can't renew. But the ticket itself is good for another 24 hours.
If you add a delay between the two commands, the renewal (2nd command) will fail as expected. But if the second command runs immediately, it will succeed because the clock granularity is 1 sec. And unfortunately, when the second command succeeds, it'll make the ticket invalid (note the expiration time):
Valid starting Expires Service principal
03/22/12 00:35:24 03/22/12 00:35:24 krbtgt/VBOX.COM@VBOX.COM
renew until 03/22/12 00:35:24