15046 – PAM Kerberos authentication incorrectly fails with a clock skew error

Bug 15046 - PAM Kerberos authentication incorrectly fails with a clock skew error

Summary: PAM Kerberos authentication incorrectly fails with a clock skew error

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	Winbind (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Jule Anger
QA Contact:	Samba QA Contact

URL:	https://gitlab.com/samba-team/samba/-...
Keywords:

Depends on:
Blocks:

Reported:	2022-04-13 11:14 UTC by Samuel Cabrero
Modified:	2022-05-02 09:48 UTC (History)
CC List:	3 users (show)

See Also:

Attachments
Patch for 4.16 (12.46 KB, patch) 2022-04-13 16:38 UTC, Samuel Cabrero	asn: review+ scabrero: review? (metze)	Details
Patch for 4.15 (11.67 KB, patch) 2022-04-13 16:38 UTC, Samuel Cabrero	asn: review+ scabrero: review? (metze)	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Samuel Cabrero 2022-04-13 11:14:34 UTC

The samba testsuite has found that PAM Kerberos authentication can fail with an incorrect clock skew too great error. In the samba testsuite the server and the client run in the same machine.

The reason is that the time_offset passed to kerberos_return_pac() in winbindd_raw_kerberos_login() can be wrong. This time_offset is retrieved from an ADS_STRUCT directly casted from domain->private_data, when domain->private_data can point to a winbind_internal_pipes struct.

We have to remove the private_data field from winbindd_domain struct and use typed pointers.

Comment 1 Samba QA Contact 2022-04-13 13:55:04 UTC

This bug was referenced in samba master:

e1f29b0970f4cac52a9cd517be6862cf69a1433a
91395e660a2b1b69bf74ca0b77aee416e2ac1db3
3cb256439e9ceece26c2de82293c43486543e0cb
a6d6ae3cfcd64a85f82ec5b12253ca0e237d95bb

Comment 2 Samuel Cabrero 2022-04-13 16:38:06 UTC

Created attachment 17270 [details]
Patch for 4.16

Comment 3 Samuel Cabrero 2022-04-13 16:38:30 UTC

Created attachment 17271 [details]
Patch for 4.15

Comment 4 Andreas Schneider 2022-04-13 17:41:48 UTC

Jule, can you please apply the patches to the corresponding branches? Thank you!

Comment 5 Jule Anger 2022-04-15 13:02:20 UTC

Pushed to autobuild-v4-{16,15}-test.

Comment 6 Samba QA Contact 2022-04-15 14:04:12 UTC

This bug was referenced in samba v4-15-test:

46f331e219611798cb0e9379d2ec05a84ff15f8a
29ec750566d2e7208afff6a97f319553c6431efd
f9e1cd4e9a67ef9e7bd414606d7f4dd31813a2ce
4f3c5b21db6a83662c3c097e203e66295a7a4fa1

Comment 7 Samba QA Contact 2022-04-15 14:46:11 UTC

This bug was referenced in samba v4-16-test:

621b80645a47dc41b53217785b835706a1677468
be6712bd6151548168bd77a670c7576383c3c7f6
12e6a16911dee92e20290bb4dec7959cb9de30f6
b444d0f7feef430dbcbbcbc626bf988ab867c2b8

Comment 8 Jule Anger 2022-04-15 16:58:03 UTC

Closing out bug report.

Thanks!

Comment 9 Samba QA Contact 2022-04-26 14:44:38 UTC

This bug was referenced in samba v4-15-stable (Release samba-4.15.7):

46f331e219611798cb0e9379d2ec05a84ff15f8a
29ec750566d2e7208afff6a97f319553c6431efd
f9e1cd4e9a67ef9e7bd414606d7f4dd31813a2ce
4f3c5b21db6a83662c3c097e203e66295a7a4fa1

Comment 10 Samba QA Contact 2022-05-02 09:48:39 UTC

This bug was referenced in samba v4-16-stable (Release samba-4.16.1):

621b80645a47dc41b53217785b835706a1677468
be6712bd6151548168bd77a670c7576383c3c7f6
12e6a16911dee92e20290bb4dec7959cb9de30f6
b444d0f7feef430dbcbbcbc626bf988ab867c2b8