Bug 15046 - PAM Kerberos authentication incorrectly fails with a clock skew error
Summary: PAM Kerberos authentication incorrectly fails with a clock skew error
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
URL: https://gitlab.com/samba-team/samba/-...
Keywords:
Depends on:
Blocks:
 
Reported: 2022-04-13 11:14 UTC by Samuel Cabrero
Modified: 2022-05-02 09:48 UTC (History)
3 users (show)

See Also:


Attachments
Patch for 4.16 (12.46 KB, patch)
2022-04-13 16:38 UTC, Samuel Cabrero
asn: review+
scabrero: review? (metze)
Details
Patch for 4.15 (11.67 KB, patch)
2022-04-13 16:38 UTC, Samuel Cabrero
asn: review+
scabrero: review? (metze)
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Samuel Cabrero 2022-04-13 11:14:34 UTC
The samba testsuite has found that PAM Kerberos authentication can fail with an incorrect clock skew too great error. In the samba testsuite the server and the client run in the same machine.

The reason is that the time_offset passed to kerberos_return_pac() in winbindd_raw_kerberos_login() can be wrong. This time_offset is retrieved from an ADS_STRUCT directly casted from domain->private_data, when domain->private_data can point to a winbind_internal_pipes struct.

We have to remove the private_data field from winbindd_domain struct and use typed pointers.
Comment 1 Samba QA Contact 2022-04-13 13:55:04 UTC
This bug was referenced in samba master:

e1f29b0970f4cac52a9cd517be6862cf69a1433a
91395e660a2b1b69bf74ca0b77aee416e2ac1db3
3cb256439e9ceece26c2de82293c43486543e0cb
a6d6ae3cfcd64a85f82ec5b12253ca0e237d95bb
Comment 2 Samuel Cabrero 2022-04-13 16:38:06 UTC
Created attachment 17270 [details]
Patch for 4.16
Comment 3 Samuel Cabrero 2022-04-13 16:38:30 UTC
Created attachment 17271 [details]
Patch for 4.15
Comment 4 Andreas Schneider 2022-04-13 17:41:48 UTC
Jule, can you please apply the patches to the corresponding branches? Thank you!
Comment 5 Jule Anger 2022-04-15 13:02:20 UTC
Pushed to autobuild-v4-{16,15}-test.
Comment 6 Samba QA Contact 2022-04-15 14:04:12 UTC
This bug was referenced in samba v4-15-test:

46f331e219611798cb0e9379d2ec05a84ff15f8a
29ec750566d2e7208afff6a97f319553c6431efd
f9e1cd4e9a67ef9e7bd414606d7f4dd31813a2ce
4f3c5b21db6a83662c3c097e203e66295a7a4fa1
Comment 7 Samba QA Contact 2022-04-15 14:46:11 UTC
This bug was referenced in samba v4-16-test:

621b80645a47dc41b53217785b835706a1677468
be6712bd6151548168bd77a670c7576383c3c7f6
12e6a16911dee92e20290bb4dec7959cb9de30f6
b444d0f7feef430dbcbbcbc626bf988ab867c2b8
Comment 8 Jule Anger 2022-04-15 16:58:03 UTC
Closing out bug report.

Thanks!
Comment 9 Samba QA Contact 2022-04-26 14:44:38 UTC
This bug was referenced in samba v4-15-stable (Release samba-4.15.7):

46f331e219611798cb0e9379d2ec05a84ff15f8a
29ec750566d2e7208afff6a97f319553c6431efd
f9e1cd4e9a67ef9e7bd414606d7f4dd31813a2ce
4f3c5b21db6a83662c3c097e203e66295a7a4fa1
Comment 10 Samba QA Contact 2022-05-02 09:48:39 UTC
This bug was referenced in samba v4-16-stable (Release samba-4.16.1):

621b80645a47dc41b53217785b835706a1677468
be6712bd6151548168bd77a670c7576383c3c7f6
12e6a16911dee92e20290bb4dec7959cb9de30f6
b444d0f7feef430dbcbbcbc626bf988ab867c2b8