The samba testsuite has found that PAM Kerberos authentication can fail with an incorrect clock skew too great error. In the samba testsuite the server and the client run in the same machine. The reason is that the time_offset passed to kerberos_return_pac() in winbindd_raw_kerberos_login() can be wrong. This time_offset is retrieved from an ADS_STRUCT directly casted from domain->private_data, when domain->private_data can point to a winbind_internal_pipes struct. We have to remove the private_data field from winbindd_domain struct and use typed pointers.
This bug was referenced in samba master: e1f29b0970f4cac52a9cd517be6862cf69a1433a 91395e660a2b1b69bf74ca0b77aee416e2ac1db3 3cb256439e9ceece26c2de82293c43486543e0cb a6d6ae3cfcd64a85f82ec5b12253ca0e237d95bb
Created attachment 17270 [details] Patch for 4.16
Created attachment 17271 [details] Patch for 4.15
Jule, can you please apply the patches to the corresponding branches? Thank you!
Pushed to autobuild-v4-{16,15}-test.
This bug was referenced in samba v4-15-test: 46f331e219611798cb0e9379d2ec05a84ff15f8a 29ec750566d2e7208afff6a97f319553c6431efd f9e1cd4e9a67ef9e7bd414606d7f4dd31813a2ce 4f3c5b21db6a83662c3c097e203e66295a7a4fa1
This bug was referenced in samba v4-16-test: 621b80645a47dc41b53217785b835706a1677468 be6712bd6151548168bd77a670c7576383c3c7f6 12e6a16911dee92e20290bb4dec7959cb9de30f6 b444d0f7feef430dbcbbcbc626bf988ab867c2b8
Closing out bug report. Thanks!
This bug was referenced in samba v4-15-stable (Release samba-4.15.7): 46f331e219611798cb0e9379d2ec05a84ff15f8a 29ec750566d2e7208afff6a97f319553c6431efd f9e1cd4e9a67ef9e7bd414606d7f4dd31813a2ce 4f3c5b21db6a83662c3c097e203e66295a7a4fa1
This bug was referenced in samba v4-16-stable (Release samba-4.16.1): 621b80645a47dc41b53217785b835706a1677468 be6712bd6151548168bd77a670c7576383c3c7f6 12e6a16911dee92e20290bb4dec7959cb9de30f6 b444d0f7feef430dbcbbcbc626bf988ab867c2b8