KDC and application server checks on ticket start and expiration times
are subject to clock skew tolerance. Document this grace period.
[tlyu@mit.edu: edit commit message, adjust wording to conform to
existing style, document start time clock skew]
ticket: 8008 (new)
target_version: 1.13
tags: pullup
library will tolerate before assuming that a Kerberos message is
invalid. The default value is 300 seconds, or five minutes.
+ The clockskew setting is also used when evaluating ticket start
+ and expiration times. For example, tickets that have reached
+ their expiration time can still be used (and renewed if they are
+ renewable tickets) if they have been expired for a shorter
+ duration than the **clockskew** setting.
+
**default_ccache_name**
This relation specifies the name of the default credential cache.
The default is |ccache|. This relation is subject to parameter
expired ticket cannot be renewed, even if the ticket is still
within its renewable life.
+ Note that renewable tickets that have expired as reported by
+ :ref:`klist(1)` may sometimes be renewed using this option,
+ because the KDC applies a grace period to account for client-KDC
+ clock skew. See :ref:`krb5.conf(5)` **clockskew** setting.
+
**-k** [**-i** | **-t** *keytab_file*]
requests a ticket, obtained from a key in the local host's keytab.
The location of the keytab may be specified with the **-t**
projects / thirdparty / krb5.git / commitdiff
