kerberos and clock skew

Qiao Yang qyang at stbernard.com
Wed Mar 30 01:03:47 GMT 2005 

Hi,

I found a problem with the code which handles the clock skew with the domain
controller. The net command and winbindd go into a forever-loop and
eventually dump core if the clock of the workstation is set to be in the
future. Attached is the debug output.

The code in question is in Samba3 libsmb/clikrb5.c, line 385, in function
ads_krb5_mk_req().
------------------------------
        while(!creds_ready) {
                if ((retval = krb5_get_credentials(context, 0, ccache,
                                                   &creds, &credsp))) {
                        DEBUG(1,("ads_krb5_mk_req: krb5_get_credentials
failed for %s (%s)\n",
                                 principal, error_message(retval)));
                        goto cleanup_creds;
                }

                /* cope with ticket being in the future due to clock skew */
                if ((unsigned)credsp->times.starttime > time(NULL)) {
                        time_t t = time(NULL);
                        int time_offset
=(unsigned)credsp->times.starttime-t;
                        DEBUG(4,("ads_krb5_mk_req: Advancing clock by %d
seconds to cope with clock skew\n", time_offset));
                        krb5_set_real_time(context, t + time_offset + 1, 0);
                }

                if (!ads_cleanup_expired_creds(context, ccache, credsp))
                        creds_ready = True;
        }

------------------------------
Question 1:
Why only call krb5_set_real_time() when the ticket time is in the future?
I think we need to call krb5_set_real_time() no matter the ticket time is in
the future or in the past. The ticket time is what we believe to be correct
(domain controller time)

Question 2:
ads_cleanup_expired_creds() should take into account of the time_offset. In
the case that the machine clock is in the future, the credential actually is
not expired but the code thinks it is and keep trying to remove it and goes
into a dead loop.


Qiao Yang
St. Bernard Software

------------------------------

[2005/04/01 18:16:51, 3F] clikrb5.c:ads_krb5_mk_req(381)
  ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
# credentials are obtained; goes into a dead loop because
ads_cleanup_expired_creds() always return true
[2005/04/01 18:16:51, 3F] clikrb5.c:ads_cleanup_expired_creds(318)
  Ticket in ccache[MEMORY:net_ads] expiration Wed, 30 Mar 2005 01:44:46 UTC
[2005/04/01 18:16:51, 1F] clikrb5.c:ads_cleanup_expired_creds(339)
  ads_cleanup_expired_creds: krb5_cc_remove_cred failed, err Ccache function
not
 supported: not implemented
[2005/04/01 18:16:51, 3F] clikrb5.c:ads_cleanup_expired_creds(318)
  Ticket in ccache[MEMORY:net_ads] expiration Wed, 30 Mar 2005 01:44:46 UTC
[2005/04/01 18:16:51, 1F] clikrb5.c:ads_cleanup_expired_creds(339)
  ads_cleanup_expired_creds: krb5_cc_remove_cred failed, err Ccache function
not
 supported: not implemented
[2005/04/01 18:16:51, 3F] clikrb5.c:ads_cleanup_expired_creds(318)
  Ticket in ccache[MEMORY:net_ads] expiration Wed, 30 Mar 2005 01:44:46 UTC
[2005/04/01 18:16:51, 1F] clikrb5.c:ads_cleanup_expired_creds(339)
  ads_cleanup_expired_creds: krb5_cc_remove_cred failed, err Ccache function
not
 supported: not implemented
[2005/04/01 18:16:51, 3F] clikrb5.c:ads_cleanup_expired_creds(318)
  Ticket in ccache[MEMORY:net_ads] expiration Wed, 30 Mar 2005 01:44:46 UTC
[2005/04/01 18:16:51, 1F] clikrb5.c:ads_cleanup_expired_creds(339)
  ads_cleanup_expired_creds: krb5_cc_remove_cred failed, err Ccache function
not
 supported: not implemented
...

More information about the samba-technical mailing list