Handling Kerberos ticket expiration in AD join

ranji ranjith.rajendran at wipro.com
Mon Oct 25 01:02:01 MDT 2010 


K-ticket generated , to be checked for its expiration. 

As per my observation, K-ticket is generated on to the NETADS:MEMORY
(i.e.,on fly). It uses this ticket for AD join.

Also some one help me in understanding the below part of code:-


while (!creds_ready && (i < maxtries)) {

		if ((retval = krb5_get_credentials(context, 0, ccache, 
						   &creds, &credsp))) {
			DEBUG(1,("ads_krb5_mk_req: krb5_get_credentials failed for %s (%s)\n",
				 principal, error_message(retval)));
			goto cleanup_creds;
		}

		/* cope with ticket being in the future due to clock skew */
		if ((unsigned)credsp->times.starttime > time(NULL)) {
			time_t t = time(NULL);
			int time_offset =(int)((unsigned)credsp->times.starttime-t);
			DEBUG(4,("ads_krb5_mk_req: Advancing clock by %d seconds to cope with
clock skew\n", time_offset));
			krb5_set_real_time(context, t + time_offset + 1, 0);
		}

		if (!ads_cleanup_expired_creds(context, ccache, credsp)) {
			creds_ready = True;
		}

		i++;
	}

	DEBUG(10,("ads_krb5_mk_req: Ticket (%s) in ccache (%s:%s) is valid until:
(%s - %u)\n",
		  principal, krb5_cc_get_type(context, ccache), krb5_cc_get_name(context,
ccache),
		  http_timestring((unsigned)credsp->times.endtime), 
		  (unsigned)credsp->times.endtime));

	if (expire_time) {
		*expire_time = (time_t)credsp->times.endtime;
	}


Samba logs are : 

[2010/09/23 11:38:24,  3] libads/sasl.c:ads_sasl_spnego_bind(780)
  ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2010/09/23 11:38:24,  3] libads/sasl.c:ads_sasl_spnego_bind(789)
  ads_sasl_spnego_bind: got server principal name =
not_defined_in_RFC4178 at please_ignore
[2010/09/23 11:38:24,  3] libsmb/clikrb5.c:ads_krb5_mk_req(676)
  ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory)
[2010/09/23 11:39:10,  3] libsmb/clikrb5.c:ads_cleanup_expired_creds(609)
  ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration
Thu, 23 Sep 2010 21:37:45 GMT
[2010/09/23 11:39:10,  3] libads/ldap.c:ads_domain_func_level(2920)
  ads_domain_func_level: 3
[2010/09/23 11:39:10,  3]
libads/kerberos.c:kerberos_secrets_store_des_salt(475)
  kerberos_secrets_store_des_salt: Storing salt
"host/pitty7.team.com at TEAM.COM"
[2010/09/23 11:39:10,  5] passdb/pdb_interface.c:smb_register_passdb(63)
  Attempting to register passdb backend ldapsam
[2010/09/23 11:39:10,  5] passdb/pdb_interface.c:smb_register_passdb(76)
  Successfully added passdb backend 'ldapsam'
[2010/09/23 11:39:10,  5] passdb/pdb_interface.c:smb_register_passdb(63)
  Attempting to register passdb backend ldapsam_compat



Suggestions are quite appreciated if ticket expiration could be handled. 



-- 
View this message in context: http://samba.2283325.n4.nabble.com/Handling-Kerberos-ticket-expiration-in-AD-join-tp3009818p3009818.html
Sent from the Samba - samba-technical mailing list archive at Nabble.com.

More information about the samba-technical mailing list