From 597b59dfb74f0c2e96954e16a9d77e94ca1afa92 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Fri, 14 Apr 2023 11:47:08 +1200 Subject: [PATCH] kdc: Return NEVER_VALID error code if ticket will never be valid This matches the error generated by Windows. Signed-off-by: Joseph Sutton --- kdc/kerberos5.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c index e4a417cb6..e9c15840b 100644 --- a/kdc/kerberos5.c +++ b/kdc/kerberos5.c @@ -2536,6 +2536,13 @@ _kdc_as_rep(astgs_request_t r) t = min(t, rk_time_add(start, realm->max_life)); #endif r->et.endtime = t; + + if (start > r->et.endtime) { + _kdc_set_e_text(r, "Requested effective lifetime is negative or too short"); + ret = KRB5KDC_ERR_NEVER_VALID; + goto out; + } + if(f.renewable_ok && r->et.endtime < *b->till){ f.renewable = 1; if(b->rtime == NULL){