Bug 2558 - net and winbindd crashes when clock of the workstation is in the future and active directory is used
Summary: net and winbindd crashes when clock of the workstation is in the future and a...
Status: RESOLVED DUPLICATE of bug 1208
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: winbind (show other bugs)
Version: 3.0.13
Hardware: All All
: P3 normal
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-03-30 12:18 UTC by Qiao Yang
Modified: 2005-03-30 14:22 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Qiao Yang 2005-03-30 12:18:06 UTC
The net command and winbindd (and possibly other programs which need to get
kerberos credentials) go into a forever-loop and
eventually dump core if the clock of the workstation is set to be in the
future. Attached is the debug output.

------------------------------

[2005/04/01 18:16:51, 3F] clikrb5.c:ads_krb5_mk_req(381)
  ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
# credentials are obtained; goes into a dead loop because
ads_cleanup_expired_creds() always return true
[2005/04/01 18:16:51, 3F] clikrb5.c:ads_cleanup_expired_creds(318)
  Ticket in ccache[MEMORY:net_ads] expiration Wed, 30 Mar 2005 01:44:46 UTC
[2005/04/01 18:16:51, 1F] clikrb5.c:ads_cleanup_expired_creds(339)
  ads_cleanup_expired_creds: krb5_cc_remove_cred failed, err Ccache function
not
 supported: not implemented
[2005/04/01 18:16:51, 3F] clikrb5.c:ads_cleanup_expired_creds(318)
  Ticket in ccache[MEMORY:net_ads] expiration Wed, 30 Mar 2005 01:44:46 UTC
[2005/04/01 18:16:51, 1F] clikrb5.c:ads_cleanup_expired_creds(339)
  ads_cleanup_expired_creds: krb5_cc_remove_cred failed, err Ccache function
not
 supported: not implemented
[2005/04/01 18:16:51, 3F] clikrb5.c:ads_cleanup_expired_creds(318)
  Ticket in ccache[MEMORY:net_ads] expiration Wed, 30 Mar 2005 01:44:46 UTC
[2005/04/01 18:16:51, 1F] clikrb5.c:ads_cleanup_expired_creds(339)
  ads_cleanup_expired_creds: krb5_cc_remove_cred failed, err Ccache function
not
 supported: not implemented
[2005/04/01 18:16:51, 3F] clikrb5.c:ads_cleanup_expired_creds(318)
  Ticket in ccache[MEMORY:net_ads] expiration Wed, 30 Mar 2005 01:44:46 UTC
[2005/04/01 18:16:51, 1F] clikrb5.c:ads_cleanup_expired_creds(339)
  ads_cleanup_expired_creds: krb5_cc_remove_cred failed, err Ccache function
not
 supported: not implemented
...
-------------------------
The code in question is in Samba3 libsmb/clikrb5.c, line 385, in function
ads_krb5_mk_req().
------------------------------
        while(!creds_ready) {
                if ((retval = krb5_get_credentials(context, 0, ccache,
                                                   &creds, &credsp))) {
                        DEBUG(1,("ads_krb5_mk_req: krb5_get_credentials
failed for %s (%s)\n",
                                 principal, error_message(retval)));
                        goto cleanup_creds;
                }

                /* cope with ticket being in the future due to clock skew */
                if ((unsigned)credsp->times.starttime > time(NULL)) {
                        time_t t = time(NULL);
                        int time_offset
=(unsigned)credsp->times.starttime-t;
                        DEBUG(4,("ads_krb5_mk_req: Advancing clock by %d
seconds to cope with clock skew\n", time_offset));
                        krb5_set_real_time(context, t + time_offset + 1, 0);
                }

                if (!ads_cleanup_expired_creds(context, ccache, credsp))
                        creds_ready = True;
        }

------------------------------
Question 1:
Why only call krb5_set_real_time() when the ticket time is in the future?
I think we need to call krb5_set_real_time() no matter the ticket time is in
the future or in the past. The ticket time is what we believe to be correct
(domain controller time)

Question 2:
ads_cleanup_expired_creds() should take into account of the time_offset. In
the case that the machine clock is in the future, the credential actually is
not expired but the code thinks it is and keep trying to remove it and goes
into a dead loop.
Comment 1 Guenther Deschner 2005-03-30 14:22:56 UTC

*** This bug has been marked as a duplicate of 1208 ***