Lifetime on new tickets can be erroneous

Binary package hint: krb5-auth-dialog

When new tickets are obtained in renew_credentials(), options are set from the existing credentials using the set_options_using_creds() function. However, in the case of a ticket that has been renewed (either automatically or via my patch for bug #104815), the lifetime and renew lifetime at final expiration cannot be obtained by looking at existing credentials. For example, an initial ticket is obtained for 10 hours, with a seven-day renewable lifetime. If it is auto-renewed, krb5-auth-dialog will pop the dialog when there are 30 minutes left in the final expiration. At this point, it is possible that the last renewal will have gotten a renewed ticket that starts 30 minutes from expiration and has a renewable lifetime of only 30 minutes. So, these are the options set for the new ticket.

For our environment, it makes more sense to just use the kerberos defaults (from krb5.conf) for all new tickets. So, the workaround is to just strip out the set_options_using_creds() function (and it's sub-functions) and remove the call to this function from within renew_credentials(). With this done, the default options obtained from krb5_get_init_creds_opt_init() are used and the tickets have correct lifetimes.

I can see where the existing functionality may be desired behavior if the user has modified their ticket after login and wishes these modifications to persist, but this would seem the exception. It may be best to have krb5-auth-dialog take an arg to disable/enable this functionality.