From b20bb509bdf15f47c744e157fee16f03d872b7b2 Mon Sep 17 00:00:00 2001
From: Nicolas Williams <nico@cryptonector.com>
Date: Tue, 26 Nov 2013 16:51:45 -0600
Subject: [PATCH] Fix never valid error condition in KDC

The TGS was incorrectly using authtime to compute renew_till for new
tickets, which was in turn leading to endtime potentially being equal to
starttime, which caused the TGS to return KRB5KDC_ERR_NEVER_VALID.

This happens when the TGT renewal lifetime is longer than the max renew
lifetime of any other services, after that much time (target services'
max renew life) passes.  The TGT is still good but TGS-REQs fail.
---
 kdc/krb5tgs.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
index 4634fefb6..347a4221d 100644
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -837,12 +837,12 @@ tgs_make_reply(krb5_context context,
     }
     if(et.renew_till){
 	time_t renew;
-	renew = *et.renew_till - et.authtime;
+	renew = *et.renew_till - *et.starttime;
 	if(client && client->entry.max_renew)
 	    renew = min(renew, *client->entry.max_renew);
 	if(server->entry.max_renew)
 	    renew = min(renew, *server->entry.max_renew);
-	*et.renew_till = et.authtime + renew;
+	*et.renew_till = *et.starttime + renew;
     }
 
     if(et.renew_till){