[16824] in Kerberos_V5_Development
AP-REP KRB5_MUTUAL_FAILED (-1765328226L) and Leap Seconds
daemon@ATHENA.MIT.EDU (Dave Daugherty)
Wed May 25 16:03:59 2011
From: Dave Daugherty <dave.daugherty@centrify.com>
To: "krbdev@mit.edu" <krbdev@mit.edu>
Date: Wed, 25 May 2011 10:18:56 -0700
Message-ID: <6E90015C52F4FA478E0E30CD3BC6479837CF3C958D@exch-07.centrify.com>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
We recently stumbled upon a problem with a CentOS version 5 library that appears to factor 24 leap seconds into gmttime_r function. This may have to do with timezone settings http://old.nabble.com/Seeking-clarifaction-of-tai64nlocal-and-leap-seconds-td31298116.html
This leads to a AP-REQ/AP-REP failure because of the following
AP-REQ reads gmtime_r and converts it to an ASCII time string to be sent to the service - the gmtime_r includes leap seconds
The AP-REP that comes back and the returned time string (which is correct) eventually is given to krb5int_gmt_mktime (or gmt_mktime in older releases) where the time string is converted back into a time structure without factoring in the leap seconds
Now the mutual authentication fails because the two values - the gmttime_r sent and the gmt_mktime value are off by 24 seconds.
Questions:
Why not just save the time string and then compare it against the return time string to avoid this problem?
Are there other places in the code base where this might be a problem?
Dave Daugherty
Centrify Corp
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
