Bug 1030607
Summary: | clockskew detection not available in keyring caches | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Simo Sorce <ssorce> |
Component: | krb5 | Assignee: | Nalin Dahyabhai <nalin> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Patrik Kis <pkis> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 7.0 | CC: | dpal, ksrot, lmiksik, pkis, riehecky, ssorce |
Target Milestone: | rc | Keywords: | Regression |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
URL: | http://krbdev.mit.edu/rt/Ticket/Display.html?id=7820 | ||
Whiteboard: | |||
Fixed In Version: | krb5-1.11.3-43.el7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-06-13 10:04:43 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 917658 |
Description
Simo Sorce
2013-11-14 19:28:29 UTC
Upstream commit to backport: fb4817a32d0c369049e0868468dd2eb75487630d Create a new client machine, and set the date off by 1 hour in the future. Do a kinit -l 30m user@REALM Then do a kvno host/principal@REALM With the old code, not skew corrected one of the operations above will fail with a clock skew error or a crdentials expired erro. With the patches they should work as the ccache corrects the base clock (note that klist will always show the 'correct' date (according to the KDC)). So it fails with the persistent keyring but not with a file cache when the time is 1 day in the future ? (In reply to Simo Sorce from comment #10) > So it fails with the persistent keyring but not with a file cache when the > time is 1 day in the future ? Exactly. I dug into this, and I think we've got two problems when the client's clock is more than (lifetime of creds) ahead of the KDC's. The one that causes kdestroy to claim that there's no cache, right after we've populated it using kinit, appears to be that we're not incorporating the KDC time offset into the expiration date that we set on keyrings, which in cases where the client clock is ahead of the KDC's, means that the keyring's expiration date can be set to a time in the past. The one that causes the ticket-expired errors is a bit more complicated - the GSSAPI client library's get_credentials() function is comparing the recorded expiration time of a set of credentials that it's about to use to the current time as returned to kg_new_connection() by krb5_timeofday(). That time is affected by the krb5_context's os_ctx's time_offset member, which is only set from a keyring cache in krb5_krcc_resolve(), which is only called after the clock is read in kg_new_connection(), so the KDC's clock offset is not taken into account in the comparison. When a file is used, though, the offset is set in krb5_fcc_open_file() when it's called either from krb5_fcc_start_seq_get() or krb5_fcc_next_cred(), which are both called before the clock is read, so the KDC's clock offset is taken into account when the comparison is made. (In reply to Nalin Dahyabhai from comment #12) > The one that causes kdestroy to claim that there's no cache, right after > we've populated it using kinit, appears to be that we're not incorporating > the KDC time offset into the expiration date that we set on keyrings, which > in cases where the client clock is ahead of the KDC's, means that the > keyring's expiration date can be set to a time in the past. Actually, the date should be correct, so this shouldn't be a problem. Okay, let's try this with -42. (In reply to Nalin Dahyabhai from comment #14) > Okay, let's try this with -42. At first glance the fix looks ok; let me run the test on all arches and we can consider the bug verified. krb5-1.11.3-43.el7 includes a different fix that was recently added upstream, so please test with that version instead. Thanks! Veridied with: /CoreOS/krb5/Multihost/bz985956-kinit-does-not-work-when-the-client-time-is-more+- +-----------------------+ OLD: krb5-1.11.3-34.el7 +-----------------------+ Server: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Server :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Stopping services (Expected 0, got 0) :: [ PASS ] :: Cleaning Files (Expected 0, got 0) :: [ PASS ] :: Creating backup (Expected 0, got 0) :: [ PASS ] :: Running 'rlFileBackup --namespace krb5 /etc/sysconfig/authconfig' (Expected 0, got 0) :: [ PASS ] :: Running 'rm -f /etc/sysconfig/authconfig' (Expected 0, got 0) :: [ PASS ] :: Running 'sed -i "s/\[libdefaults\]/[libdefaults]\n default_realm = EXAMPLE.COM/" /etc/krb5.conf' (Expected 0, got 0) :: [ PASS ] :: Running 'sed -i "s/\[realms\]/[realms]\n EXAMPLE.COM = {\n kdc = ibm-p730-04-lp4.rhts.eng.bos.redhat.com\n admin_server = ibm-p730-04-lp4.rhts.eng.bos.redhat.com\n }/" /etc/krb5.conf' (Expected 0, got 0) :: [ PASS ] :: Running 'sed -i "s/\[domain_realm\]/[domain_realm]\n .rhts.eng.bos.redhat.com = EXAMPLE.COM\n rhts.eng.bos.redhat.com = EXAMPLE.COM/" /etc/krb5.conf' (Expected 0, got 0) :: [ PASS ] :: Running 'sed -i s/EXAMPLE.COM/EXAMPLE.COM/ /var/kerberos/krb5kdc/kdc.conf' (Expected 0, got 0) :: [ PASS ] :: Running 'sed -i s/EXAMPLE.COM/EXAMPLE.COM/ /var/kerberos/krb5kdc/kadm5.acl' (Expected 0, got 0) :: [ PASS ] :: Running 'restorecon -Rv /etc/krb5.conf /var/kerberos/krb5kdc' (Expected 0, got 0) :: [ PASS ] :: Faking entropy generation (Expected 0, got 0) :: [ PASS ] :: Realm creation (Expected 0, got 0) :: [ PASS ] :: Starting services (Expected 0, got 0) :: [ PASS ] :: Adding root krb5 account and password (Expected 0, got 0) :: [ PASS ] :: Creating machine key (Expected 0, got 0) :: [ PASS ] :: Adding machine to the trusted db (Expected 0, got 0) :: [ PASS ] :: Creating service key (Expected 0, got 0) :: [ PASS ] :: Adding machine to the trusted db (Expected 0, got 0) :: [ PASS ] :: System user creation (Expected 0, got 0) :: [ PASS ] :: Adding password (Expected 0, got 0) :: [ PASS ] :: Adding user to the krb5 db (Expected 0, got 0) :: [ PASS ] :: Updating system to use krb5 authentication (Expected 0, got 0) :: [ PASS ] :: Kerberos user authentification (Expected 0, got 0) :: [ PASS ] :: Running 'kadmin.local -q "modprinc +requires_preauth Ariel"' (Expected 0, got 0) :: [ LOG ] :: openldap_setup function started :: [ PASS ] :: Backing up config files that could be changed by openldap (Expected 0, got 0) :: [ PASS ] :: Backup slapd sysconfig file (Expected 0, got 0) :: [ PASS ] :: Running 'openldap_default_data_ldif dc=example,dc=com example' (Expected 0, got 0) :: [ PASS ] :: Enable listening of openldap server on standard (389) and ssl (636) ports (Expected 0, got 0) :: [ PASS ] :: Running 'echo "127.0.0.1 example.com" >> /etc/hosts' (Expected 0, got 0) :: [ PASS ] :: Creating self-signed CA key & certificate (Expected 0, got 0) :: [ PASS ] :: Creating server key & certificate request (Expected 0, got 0) :: [ PASS ] :: Signing server certificate (Expected 0, got 0) :: [ PASS ] :: Removing pass phrase from server key (Expected 0, got 0) :: [ PASS ] :: Running 'mkdir -p /etc/openldap/cacerts' (Expected 0, got 0) :: [ PASS ] :: Running 'cp server.key server.crt ca.crt /etc/openldap/cacerts' (Expected 0, got 0) :: [ PASS ] :: Running 'chown ldap:ldap /etc/openldap/cacerts/*' (Expected 0, got 0) :: [ PASS ] :: Running 'chmod 600 /etc/openldap/cacerts/*' (Expected 0, got 0) :: [ PASS ] :: Running 'openldap_create_certs' (Expected 0, got 0) :: [ PASS ] :: Running 'slapadd -l data.ldif' (Expected 0, got 0) :: [ PASS ] :: Running 'restorecon -vvRF /etc/openldap/' (Expected 0, got 0) :: [ PASS ] :: Running 'service slapd start && sleep 10' (Expected 0, got 0) :: [ PASS ] :: Setup path to CA certificate in ldap.conf (Expected 0, got 0) :: [ PASS ] :: Running 'service slapd status' (Expected 0, got 0) :: [ LOG ] :: Try ldapsearch with Manager account :: [ PASS ] :: Running 'ldapsearch -H ldap://example.com -b dc=example,dc=com -D cn=Manager,dc=example,dc=com -w x -x '*'' (Expected 0, got 0) :: [ LOG ] :: Try ldapsearch with user account :: [ PASS ] :: Running 'ldapsearch -H ldap://example.com -b dc=example,dc=com -D cn=admin,ou=People,dc=example,dc=com -w x -x '*'' (Expected 0, got 0) :: [ PASS ] :: Running 'openldap_test_setup example.com' (Expected 0, got 0) :: [ PASS ] :: Running 'openldap_setup' (Expected 0, got 0) :: [ PASS ] :: Running 'restorecon -v /etc/ldap.keytab' (Expected 0, got 0) :: [ PASS ] :: Running 'chown -R ldap:ldap /etc/ldap.keytab' (Expected 0, got 0) :: [ PASS ] :: Running 'chmod 600 /etc/ldap.keytab' (Expected 0, got 0) :: [ PASS ] :: Running 'systemconfig_slapd' (Expected 0, got 0) :: [ PASS ] :: Running 'service slapd restart && sleep 10' (Expected 0, got 0) :: [ PASS ] :: Running 'service slapd status' (Expected 0, got 0) :: [ LOG ] :: Try ldapsearch with Manager account :: [ PASS ] :: Running 'ldapsearch -H ldap://ibm-p730-04-lp4.rhts.eng.bos.redhat.com -b dc=example,dc=com -D cn=Manager,dc=example,dc=com -w x -x '*'' (Expected 0, got 0) :: [ PASS ] :: Kerberos user authentication (Expected 0, got 0) :: [ PASS ] :: Running 'klist' (Expected 0, got 0) :: [ LOG ] :: Try ldapsearch with gssapi to local openldap server :: [ PASS ] :: Try ldapsearch with gssapi (Expected 0, got 0) :: [ PASS ] :: Running 'kdestroy' (Expected 0, got 0) :: [ PASS ] :: Server ready (Expected 0, got 0) :: [ PASS ] :: Waiting for the client (Expected 0, got 0) :: [ PASS ] :: Running 'service slapd stop' (Expected 0, got 0) :: [ PASS ] :: Running 'openldap_cleanup' (Expected 0, got 0) :: [ PASS ] :: Updating system to not use krb5 authentication (Expected 0, got 0) :: [ PASS ] :: User Deletion (Expected 0, got 0) :: [ PASS ] :: Deleting additional ldap keytab (Expected 0, got 0) :: [ PASS ] :: Stop fake entropy generation (Expected 0, got 0) :: [ PASS ] :: Running 'rm -rf /var/kerberos/krb5kdc/* /var/kerberos/krb5kdc/.k5* /etc/krb5.keytab /etc/sysconfig/authconfig' (Expected 0, got 0) :: [ PASS ] :: Running 'rlFileRestore --namespace krb5' (Expected 0, got 0) :: [ PASS ] :: Running 'rlServiceRestore krb5kdc kadmin' (Expected 0, got 0) :: [ LOG ] :: Duration: 1m 22s :: [ LOG ] :: Assertions: 70 good, 0 bad :: [ PASS ] :: RESULT: Server Client: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Set time/date on client ahead the server time :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Running 'date' (Expected 0, got 0) :: [ PASS ] :: Running 'date -s @1390550939' (Expected 0, got 0) :: [ PASS ] :: Kerberos user authentication (Expected 0, got 0) :: [ PASS ] :: Running 'klist' (Expected 0, got 0) :: [ FAIL ] :: Try ldapsearch with gssapi (Expected 0, got 2) :: [ PASS ] :: Running 'kdestroy' (Expected 0, got 0) :: [ PASS ] :: Running 'date -s @1391069339' (Expected 0, got 0) :: [ PASS ] :: Kerberos user authentication (Expected 0, got 0) :: [ PASS ] :: Running 'klist' (Expected 0, got 0) :: [ FAIL ] :: Try ldapsearch with gssapi (Expected 0, got 2) :: [ PASS ] :: Running 'kdestroy' (Expected 0, got 0) :: [ PASS ] :: Running 'date -s @1392883739' (Expected 0, got 0) :: [ PASS ] :: Kerberos user authentication (Expected 0, got 0) :: [ PASS ] :: Running 'klist' (Expected 0, got 0) :: [ FAIL ] :: Try ldapsearch with gssapi (Expected 0, got 2) :: [ PASS ] :: Running 'kdestroy' (Expected 0, got 0) :: [ PASS ] :: Synchronize time (Expected 0, got 0) :: [ LOG ] :: Duration: 12s :: [ LOG ] :: Assertions: 14 good, 3 bad :: [ FAIL ] :: RESULT: Set time/date on client ahead the server time :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Set time/date on client behind the server time :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Running 'date' (Expected 0, got 0) :: [ PASS ] :: Running 'date -s @1390378151' (Expected 0, got 0) :: [ PASS ] :: Kerberos user authentication (Expected 0, got 0) :: [ PASS ] :: Running 'klist' (Expected 0, got 0) :: [ FAIL ] :: Try ldapsearch with gssapi (Expected 0, got 2) :: [ PASS ] :: Running 'kdestroy' (Expected 0, got 0) :: [ PASS ] :: Running 'date -s @1389859751' (Expected 0, got 0) :: [ PASS ] :: Kerberos user authentication (Expected 0, got 0) :: [ PASS ] :: Running 'klist' (Expected 0, got 0) :: [ FAIL ] :: Try ldapsearch with gssapi (Expected 0, got 2) :: [ PASS ] :: Running 'kdestroy' (Expected 0, got 0) :: [ PASS ] :: Running 'date -s @1388045351' (Expected 0, got 0) :: [ PASS ] :: Kerberos user authentication (Expected 0, got 0) :: [ PASS ] :: Running 'klist' (Expected 0, got 0) :: [ FAIL ] :: Try ldapsearch with gssapi (Expected 0, got 2) :: [ PASS ] :: Running 'kdestroy' (Expected 0, got 0) :: [ PASS ] :: Synchronize time (Expected 0, got 0) :: [ LOG ] :: Duration: 13s :: [ LOG ] :: Assertions: 14 good, 3 bad :: [ FAIL ] :: RESULT: Set time/date on client behind the server time +-----------------------+ OLD: krb5-1.11.3-35.el7 +-----------------------+ Server: The same as above: all PASS. Client: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Set time/date on client ahead the server time :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Running 'date' (Expected 0, got 0) :: [ PASS ] :: Running 'date -s @1390551180' (Expected 0, got 0) :: [ PASS ] :: Kerberos user authentication (Expected 0, got 0) :: [ PASS ] :: Running 'klist' (Expected 0, got 0) :: [ FAIL ] :: Try ldapsearch with gssapi (Expected 0, got 2) :: [ PASS ] :: Running 'kdestroy' (Expected 0, got 0) :: [ PASS ] :: Running 'date -s @1391069580' (Expected 0, got 0) :: [ PASS ] :: Kerberos user authentication (Expected 0, got 0) :: [ PASS ] :: Running 'klist' (Expected 0, got 0) :: [ FAIL ] :: Try ldapsearch with gssapi (Expected 0, got 2) :: [ PASS ] :: Running 'kdestroy' (Expected 0, got 0) :: [ PASS ] :: Running 'date -s @1392883980' (Expected 0, got 0) :: [ PASS ] :: Kerberos user authentication (Expected 0, got 0) :: [ PASS ] :: Running 'klist' (Expected 0, got 0) :: [ FAIL ] :: Try ldapsearch with gssapi (Expected 0, got 2) :: [ PASS ] :: Running 'kdestroy' (Expected 0, got 0) :: [ PASS ] :: Synchronize time (Expected 0, got 0) :: [ LOG ] :: Duration: 13s :: [ LOG ] :: Assertions: 14 good, 3 bad :: [ FAIL ] :: RESULT: Set time/date on client ahead the server time :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Set time/date on client behind the server time :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Running 'date' (Expected 0, got 0) :: [ PASS ] :: Running 'date -s @1390378392' (Expected 0, got 0) :: [ PASS ] :: Kerberos user authentication (Expected 0, got 0) :: [ PASS ] :: Running 'klist' (Expected 0, got 0) :: [ PASS ] :: Try ldapsearch with gssapi (Expected 0, got 0) :: [ PASS ] :: Running 'kdestroy' (Expected 0, got 0) :: [ PASS ] :: Running 'date -s @1389859992' (Expected 0, got 0) :: [ PASS ] :: Kerberos user authentication (Expected 0, got 0) :: [ PASS ] :: Running 'klist' (Expected 0, got 0) :: [ PASS ] :: Try ldapsearch with gssapi (Expected 0, got 0) :: [ PASS ] :: Running 'kdestroy' (Expected 0, got 0) :: [ PASS ] :: Running 'date -s @1388045592' (Expected 0, got 0) :: [ PASS ] :: Kerberos user authentication (Expected 0, got 0) :: [ PASS ] :: Running 'klist' (Expected 0, got 0) :: [ PASS ] :: Try ldapsearch with gssapi (Expected 0, got 0) :: [ PASS ] :: Running 'kdestroy' (Expected 0, got 0) :: [ PASS ] :: Synchronize time (Expected 0, got 0) :: [ LOG ] :: Duration: 15s :: [ LOG ] :: Assertions: 17 good, 0 bad :: [ PASS ] :: RESULT: Set time/date on client behind the server time +-----------------------+ NEW: krb5-1.11.3-43.el7 +-----------------------+ Server: The same as above: all PASS. Client: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Set time/date on client ahead the server time :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Running 'date' (Expected 0, got 0) :: [ PASS ] :: Running 'date -s @1390551372' (Expected 0, got 0) :: [ PASS ] :: Kerberos user authentication (Expected 0, got 0) :: [ PASS ] :: Running 'klist' (Expected 0, got 0) :: [ PASS ] :: Try ldapsearch with gssapi (Expected 0, got 0) :: [ PASS ] :: Running 'kdestroy' (Expected 0, got 0) :: [ PASS ] :: Running 'date -s @1391069772' (Expected 0, got 0) :: [ PASS ] :: Kerberos user authentication (Expected 0, got 0) :: [ PASS ] :: Running 'klist' (Expected 0, got 0) :: [ PASS ] :: Try ldapsearch with gssapi (Expected 0, got 0) :: [ PASS ] :: Running 'kdestroy' (Expected 0, got 0) :: [ PASS ] :: Running 'date -s @1392884172' (Expected 0, got 0) :: [ PASS ] :: Kerberos user authentication (Expected 0, got 0) :: [ PASS ] :: Running 'klist' (Expected 0, got 0) :: [ PASS ] :: Try ldapsearch with gssapi (Expected 0, got 0) :: [ PASS ] :: Running 'kdestroy' (Expected 0, got 0) :: [ PASS ] :: Synchronize time (Expected 0, got 0) :: [ LOG ] :: Duration: 14s :: [ LOG ] :: Assertions: 17 good, 0 bad :: [ PASS ] :: RESULT: Set time/date on client ahead the server time :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Set time/date on client behind the server time :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Running 'date' (Expected 0, got 0) :: [ PASS ] :: Running 'date -s @1390378586' (Expected 0, got 0) :: [ PASS ] :: Kerberos user authentication (Expected 0, got 0) :: [ PASS ] :: Running 'klist' (Expected 0, got 0) :: [ PASS ] :: Try ldapsearch with gssapi (Expected 0, got 0) :: [ PASS ] :: Running 'kdestroy' (Expected 0, got 0) :: [ PASS ] :: Running 'date -s @1389860186' (Expected 0, got 0) :: [ PASS ] :: Kerberos user authentication (Expected 0, got 0) :: [ PASS ] :: Running 'klist' (Expected 0, got 0) :: [ PASS ] :: Try ldapsearch with gssapi (Expected 0, got 0) :: [ PASS ] :: Running 'kdestroy' (Expected 0, got 0) :: [ PASS ] :: Running 'date -s @1388045786' (Expected 0, got 0) :: [ PASS ] :: Kerberos user authentication (Expected 0, got 0) :: [ PASS ] :: Running 'klist' (Expected 0, got 0) :: [ PASS ] :: Try ldapsearch with gssapi (Expected 0, got 0) :: [ PASS ] :: Running 'kdestroy' (Expected 0, got 0) :: [ PASS ] :: Synchronize time (Expected 0, got 0) :: [ LOG ] :: Duration: 14s :: [ LOG ] :: Assertions: 17 good, 0 bad :: [ PASS ] :: RESULT: Set time/date on client behind the server time This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |