[39530] in Kerberos
Re: Impossible to log into a MS AD 2025 from a 32-bit GSSAPI system
daemon@ATHENA.MIT.EDU (Ken Hornstein via Kerberos)
Wed Jul 2 14:50:39 2025
Message-Id: <202507021847.562IlrTk026734@hedwig.cmf.nrl.navy.mil>
To: abz++krb@mailo.com
cc: kerberos@mit.edu
In-Reply-To: <7200ec9f-1c14-48c4-8502-ba675ff848c3@mailo.com>
MIME-Version: 1.0
Date: Wed, 02 Jul 2025 14:47:52 -0400
From: Ken Hornstein via Kerberos <kerberos@mit.edu>
Reply-To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>In short, from a 32-bit client (tested on both x86 and armf), a kinit
>with such a user account fails with the message:
>
> ASN.1 failed call to system time library while getting initial
>credentials
Interestingly enough, I used to have the reverse problem. Specifically,
we had one user who used one system (pre-Unix MacOS Kerberos client)
which had an epoch before the usual 1-1-1970, and for reasons I never
quite understood their time got reset a LOT to this epoch value. When
they would try to authenticate we'd get this error on the KDC, but then
the request was dropped so they saw it as "couldn't contact any KDC".
Drove me nuts until I figured it out.
Personally I think your workaround is fine; I am not sure what systems
with a 32-bit time_t are supposed to do after Y2038 anyway.
--Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
