From: Brett Randall <javabrett@gmail.com>
Date: Fri, 5 Sep 2014 01:21:35 +0000 (+1000)
Subject: Document clock skew tolerance for ticket times
X-Git-Tag: krb5-1.14-alpha1~248
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e56f3d43a746c198b1fd1889dc1211b9feedbfc3;p=thirdparty%2Fkrb5.git

Document clock skew tolerance for ticket times

KDC and application server checks on ticket start and expiration times
are subject to clock skew tolerance.  Document this grace period.

[tlyu@mit.edu: edit commit message, adjust wording to conform to
existing style, document start time clock skew]

ticket: 8008 (new)
target_version: 1.13
tags: pullup
---

diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
index 2b219fbedf..6636c2fc81 100644
--- a/doc/admin/conf_files/krb5_conf.rst
+++ b/doc/admin/conf_files/krb5_conf.rst
@@ -126,6 +126,12 @@ The libdefaults section may contain any of the following relations:
     library will tolerate before assuming that a Kerberos message is
     invalid.  The default value is 300 seconds, or five minutes.
 
+    The clockskew setting is also used when evaluating ticket start
+    and expiration times.  For example, tickets that have reached
+    their expiration time can still be used (and renewed if they are
+    renewable tickets) if they have been expired for a shorter
+    duration than the **clockskew** setting.
+
 **default_ccache_name**
     This relation specifies the name of the default credential cache.
     The default is |ccache|.  This relation is subject to parameter
diff --git a/doc/user/user_commands/kinit.rst b/doc/user/user_commands/kinit.rst
index c2b3b7fed0..72721c3e32 100644
--- a/doc/user/user_commands/kinit.rst
+++ b/doc/user/user_commands/kinit.rst
@@ -103,6 +103,11 @@ OPTIONS
     expired ticket cannot be renewed, even if the ticket is still
     within its renewable life.
 
+    Note that renewable tickets that have expired as reported by
+    :ref:`klist(1)` may sometimes be renewed using this option,
+    because the KDC applies a grace period to account for client-KDC
+    clock skew.  See :ref:`krb5.conf(5)` **clockskew** setting.
+
 **-k** [**-i** | **-t** *keytab_file*]
     requests a ticket, obtained from a key in the local host's keytab.
     The location of the keytab may be specified with the **-t**