Bug 12537 - GENSEC doesn't return the lifetime of tickets that have been requested
Summary: GENSEC doesn't return the lifetime of tickets that have been requested
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Other (show other bugs)
Version: 4.4.2
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
Depends on:
Reported: 2017-01-24 06:08 UTC by Matthieu Patou
Modified: 2017-02-08 23:02 UTC (History)
2 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Matthieu Patou 2017-01-24 06:08:06 UTC
When Winbindd is trying to connect to LDAP using its own account, I see very often messages like:
Current tickets expire in -1484038188 seconds (at 0, time is now 1484038188)

This is either because the TGT end life (as stored in the ADS_STRUCT) is 0 or the TGS end life is 0.

As the previous logs indicate: 
kerberos_kinit_password: as 0312MHE0KZX0P4$@PCSTITAN.COM using [MEMORY:winbind_cc     ache] as ccache and config [/var/locks/.11.winbindd/smb_krb5/krb5.conf.PCSTITAN]
And looking at the code we can see that ads_kinit_password is calling kerberos_kinit_password_ext with ads->auth.tgt_expire as the expire time parameter.
At the opposite ads_sasl_spnego_gensec_bind that calls auth_generic_client_start_by_sasl is not passing the ADS_STRUCT structure (because it has not been designed in GENSEC).
Because of that the whole chain auth_generic_client_start_by_sasl -> gensec_start_mech_by_sasl_list-> gensec_start_mech -> gensec_security->ops->client_start(gensec_security) -> gensec_gse_client_start (when ops is for gse_krb5) -> gse_init_client is not passing the ADS STRUCT structure not even a pointer to tgs_expire.

At the end gss_acquire_cred is also called with NULL for the pointer to the time value but even if it wasn't there is no way this could be bubbled up to the calling functions.

As I said a the beginning, this is causing winbindd to recreate its connection to the DC everytime it is calling ads_cached_connection which can sometimes take a lot of time.
Comment 1 Matthieu Patou 2017-01-24 06:12:46 UTC
I think that infusing the time field in the GENSEC structure can be quite costly and error prone due to the russian doll nature of GENSEC.
A less elegant solution but much more simplier would be to populate the tgs_expire field in the ADS_STRUCT after calling ads_sasl_spnego_gensec_bind in ads_sasl_spnego_bind.
Comment 2 Stefan Metzmacher 2017-01-24 09:39:52 UTC
(In reply to Matthieu Patou from comment #0)

Hi Matthieu,

4.4.2 is relatively old and I think this is already solved in newer releases.
I guess you either want 4.5.4 or 4.4.8 + the patches from bug #12480.

git log samba-4.4.2..origin/v4-4-test source3/libads/ source3/librpc/crypto/ auth/ should list the most important fixes relevant to this bug.

Can you retest with this fixes?

Comment 3 Matthieu Patou 2017-01-24 23:28:12 UTC
Stefan: I just had a look at 4.5.3, and I see that the ADS_STRUCT structure is indeed passed to the gensec functions.

I'll try and update the bug.
Comment 4 Stefan Metzmacher 2017-01-25 08:41:41 UTC
(In reply to Matthieu Patou from comment #3)

Ok, but if you use MIT krb5 you'll need the patches from
https://bugzilla.samba.org/show_bug.cgi?id=12480 which are
already included in 4.5.4.
Comment 5 Matthieu Patou 2017-02-08 23:02:06 UTC
We tried with 4.5.X and it seems to work as expected now.
Closing the bug thanks for the help.