Clock skew failures in selftest

Alexander Bokovoy ab at samba.org
Fri Jul 13 11:43:39 UTC 2018 

On pe, 13 heinä 2018, Stefan Metzmacher wrote:
> Am 13.07.2018 um 12:53 schrieb Alexander Bokovoy via samba-technical:
> > On pe, 13 heinä 2018, Andrew Bartlett via samba-technical wrote:
> >> On Fri, 2018-07-13 at 09:52 +0300, Alexander Bokovoy wrote:
> >>> On pe, 13 heinä 2018, Andrew Bartlett via samba-technical wrote:
> >>>> I was thinking about why we might be seeing errors like this:
> >>>>
> >>>> [789(4384)/888 at 1h12m28s]
> >>>> samba4.ldap_schema.python(ad_dc_ntvfs)(ad_dc_ntvfs)
> >>>> GSS client Update(krb5)(1) Update failed:  Miscellaneous failure (see
> >>>> text): Clock skew too great
> >>>> UNEXPECTED(error):
> >>>> samba4.ldap_schema.python(ad_dc_ntvfs).__main__.SchemaTests.test_genera
> >>>> ted_mAPIID(ad_dc_ntvfs)
> >>>> REASON: Exception: Exception: Traceback (most recent call last):
> >>>>   File
> >>>> "/memdisk/abartlet/a/b409336/samba/source4/dsdb/tests/python/ldap_schem
> >>>> a.py", line 1173, in test_generated_mAPIID
> >>>>     self.ldb.modify_ldif(ldif)
> >>>>   File "bin/python/samba/__init__.py", line 241, in modify_ldif
> >>>>     self.modify(msg, controls)
> >>>> LdbError: (3, 'ldb_wait from (null) with LDB_WAIT_ALL: Time limit
> >>>> exceeded (3)')
> >>>>
> >>>> For the first part (krb5):
> >>>>
> >>>> We run with lockskew = 5 in the krb5.conf of the test client, and I
> >>>> think what his happening here isn't that the packet takes 5 seconds to
> >>>> get to the client, it is that if there is DB locking then the packet
> >>>> takes 5 seconds inside the KDC.
> >>>>
> >>>> Because the kdc time is set (by Samba, in the packet read handler)
> >>>> before the KDC process() routine runs, if the LDB layer blocks on a
> >>>> lock, the ticket can be expired before it leaves the server. 
> >>>>
> >>>> The second message suggests the same thing, that something had the DB
> >>>> locked for quite some time.
> >>>
> >>> What was a reason to reduce to 5 seconds from a default 5 minutes for
> >>> Kerberos libraries? Kerberos clock skew isn't a timeout thing so we
> >>> really shouldn't use it to trigger timeouts.
> >>
> >> ac5427c6eba0 (Andreas Schneider 2016-09-26 18:51:33 +0200 242)  # Set the grace clocskew to 5 seconds
> >> ac5427c6eba0 (Andreas Schneider 2016-09-26 18:51:33 +0200 243)  # This is especially required by samba3.raw.session krb5 and
> >> ac5427c6eba0 (Andreas Schneider 2016-09-26 18:51:33 +0200 244)  # reauth tests
> >> ac5427c6eba0 (Andreas Schneider 2016-09-26 18:51:33 +0200 245)  clockskew = 5
> >>
> >> It went in with a pile of the things for the MIT KDC.
> > My understanding is that this is because in test_session_expire1 test we 
> >    - we acquire tickets with 4 seconds life time (git grep requested_life_time)
> >    - we wait up to 10 seconds between several operations to be sure we
> >      trigger reauthentication
> >    - as clockskew value is used for allowing existing ticket to be used
> >      for a time < clockskew after expiration, the ticket above would be
> >      valid 9 seconds in total.
> > 
> > However, this is the only test that requires clockskew reduced to 5
> > seconds. The rest of our tests do not require it. I think we should
> > consider updating a test environment for source3.raw.session instead of
> > applying its conditions to everything else.
> 
> As far as I remember the problem was that MIT doesn't offer to
> control this from C code. That's why Andreas changed it in the config file.
Right, but there is no need to change this for other tests, so it needs
to be a test environment variation rather than applied to all test
environments.


-- 
/ Alexander Bokovoy

More information about the samba-technical mailing list