Clock skew failures in selftest
metze at samba.org
Fri Jul 13 11:12:41 UTC 2018
Am 13.07.2018 um 12:53 schrieb Alexander Bokovoy via samba-technical:
> On pe, 13 heinä 2018, Andrew Bartlett via samba-technical wrote:
>> On Fri, 2018-07-13 at 09:52 +0300, Alexander Bokovoy wrote:
>>> On pe, 13 heinä 2018, Andrew Bartlett via samba-technical wrote:
>>>> I was thinking about why we might be seeing errors like this:
>>>> [789(4384)/888 at 1h12m28s]
>>>> GSS client Update(krb5)(1) Update failed: Miscellaneous failure (see
>>>> text): Clock skew too great
>>>> REASON: Exception: Exception: Traceback (most recent call last):
>>>> a.py", line 1173, in test_generated_mAPIID
>>>> File "bin/python/samba/__init__.py", line 241, in modify_ldif
>>>> self.modify(msg, controls)
>>>> LdbError: (3, 'ldb_wait from (null) with LDB_WAIT_ALL: Time limit
>>>> exceeded (3)')
>>>> For the first part (krb5):
>>>> We run with lockskew = 5 in the krb5.conf of the test client, and I
>>>> think what his happening here isn't that the packet takes 5 seconds to
>>>> get to the client, it is that if there is DB locking then the packet
>>>> takes 5 seconds inside the KDC.
>>>> Because the kdc time is set (by Samba, in the packet read handler)
>>>> before the KDC process() routine runs, if the LDB layer blocks on a
>>>> lock, the ticket can be expired before it leaves the server.
>>>> The second message suggests the same thing, that something had the DB
>>>> locked for quite some time.
>>> What was a reason to reduce to 5 seconds from a default 5 minutes for
>>> Kerberos libraries? Kerberos clock skew isn't a timeout thing so we
>>> really shouldn't use it to trigger timeouts.
>> ac5427c6eba0 (Andreas Schneider 2016-09-26 18:51:33 +0200 242) # Set the grace clocskew to 5 seconds
>> ac5427c6eba0 (Andreas Schneider 2016-09-26 18:51:33 +0200 243) # This is especially required by samba3.raw.session krb5 and
>> ac5427c6eba0 (Andreas Schneider 2016-09-26 18:51:33 +0200 244) # reauth tests
>> ac5427c6eba0 (Andreas Schneider 2016-09-26 18:51:33 +0200 245) clockskew = 5
>> It went in with a pile of the things for the MIT KDC.
> My understanding is that this is because in test_session_expire1 test we
> - we acquire tickets with 4 seconds life time (git grep requested_life_time)
> - we wait up to 10 seconds between several operations to be sure we
> trigger reauthentication
> - as clockskew value is used for allowing existing ticket to be used
> for a time < clockskew after expiration, the ticket above would be
> valid 9 seconds in total.
> However, this is the only test that requires clockskew reduced to 5
> seconds. The rest of our tests do not require it. I think we should
> consider updating a test environment for source3.raw.session instead of
> applying its conditions to everything else.
As far as I remember the problem was that MIT doesn't offer to
control this from C code. That's why Andreas changed it in the config file.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the samba-technical