11480 – clock skew causes winbind auth failure without coherent error report

Bug 11480 - clock skew causes winbind auth failure without coherent error report

Summary: clock skew causes winbind auth failure without coherent error report

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	Winbind (show other bugs)
Version:	4.2.2
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2015-09-01 12:50 UTC by David Woodhouse
Modified:	2015-09-02 11:10 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description David Woodhouse 2015-09-01 12:50:05 UTC

When system time is incorrect, users are unable to log in to fix it.

[dwoodhou@i7 ~]$ sudo date -s 2015-01-1
Thu  1 Jan 00:00:00 GMT 2015
[dwoodhou@i7 ~]$ wbinfo -K dwoodhou
Enter dwoodhou's password: 
plaintext kerberos password authentication for [dwoodhou] failed (requesting cctype: FILE)
error code was NT_STATUS_LOGON_FAILURE (0xc000006d)
error message was: Logon failure
Could not authenticate user [dwoodhou] with Kerberos (ccache: FILE)


It looks like winbind is recognising that the clock is wrong, and even attempting to cope with it. But ultimately failing to accept the Kerberos ticket that it successfully acquires:

process_request: Handling async request 14184:PAM_AUTH
[14184]: pam auth dwoodhou
child daemon request 13
child_process_request: request fn PAM_AUTH
[14152]: dual pam auth GER\dwoodhou
winbindd_dual_pam_auth: domain: GER last was online
winbindd_dual_pam_auth_kerberos
is_myname("GER") returns 0
using ccache: FILE:/tmp/krb5cc_500
winbindd_raw_kerberos_login: uid is 500
kerberos_kinit_password: as dwoodhou@GER.CORP.INTEL.COM using [FILE:/tmp/krb5cc_500] as ccache and config [(null)]
got TGT for dwoodhou@GER.CORP.INTEL.COM in FILE:/tmp/krb5cc_500
        valid until: Tue, 01 Sep 2015 23:42:06 BST (1441147326)
        renewable till: Thu, 01 Oct 2015 13:42:06 BST (1443703326)
ads_krb5_mk_req: Advancing clock by 21040851 seconds to cope with clock skew
ads_cleanup_expired_creds: Ticket in ccache[FILE:/tmp/krb5cc_500] expiration Tue, 01 Sep 2015 23:42:06 BST
ads_krb5_mk_req: Ticket (DWOODHOU-LINUX$@GER.CORP.INTEL.COM) in ccache (FILE:/tmp/krb5cc_500) is valid until: (Tue, 01 Sep 2015 23:42:06 BST - 1441147326)
Got KRB5 session key of length 16
Starting GENSEC mechanism gse_krb5
name_to_fqdn: lookup for DWOODHOU-LINUX -> DWOODHOU-LINUX.ger.corp.intel.com.
../source3/librpc/crypto/gse_krb5.c:416: krb5_kt_start_seq_get failed (Permission denied)
../source3/librpc/crypto/gse_krb5.c:605: Warning! Unable to set mem keytab from system keytab!
gss_accept_sec_context failed with [Unspecified GSS failure.  Minor code may provide more information: Ticket not yet valid]
gensec_update() failed: NT_STATUS_LOGON_FAILURE
winbindd_dual_pam_auth_kerberos failed: NT_STATUS_LOGON_FAILURE
Plain-text authentication for user GER\dwoodhou returned NT_STATUS_LOGON_FAILURE (PAM: 7)
Finished processing child request 13
Writing 3496 bytes to parent
wb_request_done[14184:PAM_AUTH]: NT_STATUS_LOGON_FAILURE

Comment 1 David Woodhouse 2015-09-02 11:02:56 UTC

When the system clock is fast, gss_init_sec_context() fails differently, and without ads_krb5_mk_req() first noticing the clock skew:

[12050]: pam auth dwoodhou
child daemon request 13
child_process_request: request fn PAM_AUTH
[12010]: dual pam auth GER\dwoodhou
winbindd_dual_pam_auth: domain: GER last was online
winbindd_dual_pam_auth_kerberos
is_myname("GER") returns 0
using ccache: FILE:/tmp/krb5cc_500
winbindd_raw_kerberos_login: uid is 500
kerberos_kinit_password: as dwoodhou@GER.CORP.INTEL.COM using [FILE:/tmp/krb5cc_500] as ccache and config [(null)]
got TGT for dwoodhou@GER.CORP.INTEL.COM in FILE:/tmp/krb5cc_500
	valid until: Wed, 02 Sep 2015 21:56:27 BST (1441227387)
	renewable till: Fri, 02 Oct 2015 11:56:27 BST (1443783387)
ads_cleanup_expired_creds: Ticket in ccache[FILE:/tmp/krb5cc_500] expiration Wed, 02 Sep 2015 21:56:27 BST
ads_krb5_mk_req: Ticket (DWOODHOU-LINUX$@GER.CORP.INTEL.COM) in ccache (FILE:/tmp/krb5cc_500) is valid until: (Wed, 02 Sep 2015 21:56:27 BST - 1441227387)
Got KRB5 session key of length 16
Starting GENSEC mechanism gse_krb5
name_to_fqdn: lookup for DWOODHOU-LINUX -> DWOODHOU-LINUX.ger.corp.intel.com.
../source3/librpc/crypto/gse_krb5.c:416: krb5_kt_start_seq_get failed (Permission denied)
../source3/librpc/crypto/gse_krb5.c:605: Warning! Unable to set mem keytab from system keytab!
gss_accept_sec_context failed with [Unspecified GSS failure.  Minor code may provide more information: Clock skew too great]
gensec_update() failed: NT_STATUS_LOGON_FAILURE
winbindd_dual_pam_auth_kerberos failed: NT_STATUS_LOGON_FAILURE
Plain-text authentication for user GER\dwoodhou returned NT_STATUS_LOGON_FAILURE (PAM: 7)
Finished processing child request 13
Writing 3496 bytes to parent
wb_request_done[12050:PAM_AUTH]: NT_STATUS_LOGON_FAILURE

Comment 2 David Woodhouse 2015-09-02 11:10:08 UTC

Perhaps a simple solution here is just to do the equivalent of spawning 'net time set -S $DOMAIN', if gss_accept_sec_context() results in KRB5KRB_AP_ERR_SKEW or KRB5KRB_AP_ERR_TKT_NYV. And then try again.

You could make that optional, if you really must.