The net command and winbindd (and possibly other programs which need to get kerberos credentials) go into a forever-loop and eventually dump core if the clock of the workstation is set to be in the future. Attached is the debug output. ------------------------------ [2005/04/01 18:16:51, 3F] clikrb5.c:ads_krb5_mk_req(381) ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found) # credentials are obtained; goes into a dead loop because ads_cleanup_expired_creds() always return true [2005/04/01 18:16:51, 3F] clikrb5.c:ads_cleanup_expired_creds(318) Ticket in ccache[MEMORY:net_ads] expiration Wed, 30 Mar 2005 01:44:46 UTC [2005/04/01 18:16:51, 1F] clikrb5.c:ads_cleanup_expired_creds(339) ads_cleanup_expired_creds: krb5_cc_remove_cred failed, err Ccache function not supported: not implemented [2005/04/01 18:16:51, 3F] clikrb5.c:ads_cleanup_expired_creds(318) Ticket in ccache[MEMORY:net_ads] expiration Wed, 30 Mar 2005 01:44:46 UTC [2005/04/01 18:16:51, 1F] clikrb5.c:ads_cleanup_expired_creds(339) ads_cleanup_expired_creds: krb5_cc_remove_cred failed, err Ccache function not supported: not implemented [2005/04/01 18:16:51, 3F] clikrb5.c:ads_cleanup_expired_creds(318) Ticket in ccache[MEMORY:net_ads] expiration Wed, 30 Mar 2005 01:44:46 UTC [2005/04/01 18:16:51, 1F] clikrb5.c:ads_cleanup_expired_creds(339) ads_cleanup_expired_creds: krb5_cc_remove_cred failed, err Ccache function not supported: not implemented [2005/04/01 18:16:51, 3F] clikrb5.c:ads_cleanup_expired_creds(318) Ticket in ccache[MEMORY:net_ads] expiration Wed, 30 Mar 2005 01:44:46 UTC [2005/04/01 18:16:51, 1F] clikrb5.c:ads_cleanup_expired_creds(339) ads_cleanup_expired_creds: krb5_cc_remove_cred failed, err Ccache function not supported: not implemented ... ------------------------- The code in question is in Samba3 libsmb/clikrb5.c, line 385, in function ads_krb5_mk_req(). ------------------------------ while(!creds_ready) { if ((retval = krb5_get_credentials(context, 0, ccache, &creds, &credsp))) { DEBUG(1,("ads_krb5_mk_req: krb5_get_credentials failed for %s (%s)\n", principal, error_message(retval))); goto cleanup_creds; } /* cope with ticket being in the future due to clock skew */ if ((unsigned)credsp->times.starttime > time(NULL)) { time_t t = time(NULL); int time_offset =(unsigned)credsp->times.starttime-t; DEBUG(4,("ads_krb5_mk_req: Advancing clock by %d seconds to cope with clock skew\n", time_offset)); krb5_set_real_time(context, t + time_offset + 1, 0); } if (!ads_cleanup_expired_creds(context, ccache, credsp)) creds_ready = True; } ------------------------------ Question 1: Why only call krb5_set_real_time() when the ticket time is in the future? I think we need to call krb5_set_real_time() no matter the ticket time is in the future or in the past. The ticket time is what we believe to be correct (domain controller time) Question 2: ads_cleanup_expired_creds() should take into account of the time_offset. In the case that the machine clock is in the future, the credential actually is not expired but the code thinks it is and keep trying to remove it and goes into a dead loop.
*** This bug has been marked as a duplicate of 1208 ***