889206 – On clock skew sssd returns system error

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 889206 - On clock skew sssd returns system error

Summary: On clock skew sssd returns system error

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Jakub Hrozek
QA Contact:	Kaushik Banerjee
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-12-20 13:56 UTC by Dmitri Pal
Modified:	2020-05-02 17:10 UTC (History)
CC List:	6 users (show)
Fixed In Version:	sssd-1.12.2-42.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-03-05 10:26:53 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 2763	0	None	None	None	2020-05-02 17:10:53 UTC
Red Hat Product Errata	RHBA-2015:0441	0	normal	SHIPPED_LIVE	sssd bug fix and enhancement update	2015-03-05 15:05:27 UTC

Description Dmitri Pal 2012-12-20 13:56:55 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/1721

I updated one of my laptops today and time got 1 hour out of sync for some reason.
When I tried to login I got back system error. Checking the krb error returned it said clock skew.

I think we should not return system error, we should either adjust to the skew or log in with offline credentials.

Comment 2 Martin Kosek 2014-06-17 12:13:13 UTC

Fixed upstream (in ticket 1096):

master: 83011d97d17bd00e99ccf1e0302167a6bc0db84e

Comment 4 Kaushik Banerjee 2015-01-14 06:46:51 UTC

Tested with:
# rpm -q sssd
sssd-1.12.2-39.el7.x86_64

With kdc time ahead by one hour, I see system error in /var/log/secure

# ssh puser1@localhost
puser1@localhost's password: 
Permission denied, please try again.
puser1@localhost's password: 


# tailf /var/log/secure
Jan 14 01:32:57 qe-blade-01 sshd[14926]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost  user=puser1
Jan 14 01:32:57 qe-blade-01 sshd[14926]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=puser1
Jan 14 01:32:57 qe-blade-01 sshd[14926]: pam_sss(sshd:auth): received for user puser1: 4 (System error)
Jan 14 01:33:00 qe-blade-01 sshd[14926]: Failed password for puser1 from ::1 port 50380 ssh2

# tailf /var/log/sssd/krb5_child.log | grep skew
(Wed Jan 14 01:32:57 2015) [[sssd[krb5_child[14968]]]] [get_and_save_tgt] (0x0020): 996: [-1765328236][Clock skew too great in KDC reply]
(Wed Jan 14 01:32:57 2015) [[sssd[krb5_child[14968]]]] [map_krb5_error] (0x0020): 1065: [-1765328236][Clock skew too great in KDC reply]

# tailf /var/log/messages
Jan 14 01:32:57 qe-blade-01 [sssd[krb5_child[14968]]]: Clock skew too great in KDC reply
Jan 14 01:32:57 qe-blade-01 [sssd[krb5_child[14968]]]: Clock skew too great in KDC reply


# tailf /var/log/sssd/sssd_LDAP-KRB5.log
(Wed Jan 14 01:32:57 2015) [sssd[be[LDAP-KRB5]]] [write_pipe_handler] (0x0400): All data has been sent!
(Wed Jan 14 01:32:57 2015) [sssd[be[LDAP-KRB5]]] [read_pipe_handler] (0x0400): EOF received, client finished
(Wed Jan 14 01:32:57 2015) [sssd[be[LDAP-KRB5]]] [check_wait_queue] (0x1000): Wait queue for user [puser1] is empty.
(Wed Jan 14 01:32:57 2015) [sssd[be[LDAP-KRB5]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success]
(Wed Jan 14 01:32:57 2015) [sssd[be[LDAP-KRB5]]] [be_pam_handler_callback] (0x0100): Sending result [4][LDAP-KRB5]

sssd.conf domain section:
[domain/LDAP-KRB5]
debug_level = 0xFFF0
id_provider = ldap
ldap_uri = ldap://<ldap server>
ldap_search_base = dc=example,dc=com
auth_provider = krb5
krb5_server = <kdc hostname>
krb5_realm = EXAMPLE.COM

Comment 5 Jakub Hrozek 2015-01-14 10:18:30 UTC

I think I see the problem, we only handled one of the two possible skew error codes, not the other one.

Can you try this build? http://brewweb.devel.redhat.com/brew/taskinfo?taskID=8527595

Comment 6 Kaushik Banerjee 2015-01-14 10:34:58 UTC

(In reply to Jakub Hrozek from comment #5)
> I think I see the problem, we only handled one of the two possible skew
> error codes, not the other one.
> 
> Can you try this build?
> http://brewweb.devel.redhat.com/brew/taskinfo?taskID=8527595

This build works as expected. System error no longer appears and sssd goes offline on clock skew.

/var/log/secure now shows:
Jan 14 05:31:21 qe-blade-01 sshd[31863]: pam_sss(sshd:auth): received for user puser1: 9 (Authentication service cannot retrieve authentication info)

Comment 9 Kaushik Banerjee 2015-01-16 10:29:20 UTC

Verified with sssd-1.12.2-42.el7

If kdc is ahead of time by one hour, /var/log/secure now shows:
Jan 16 02:54:03 yttrium sshd[7003]: pam_sss(sshd:auth): received for user puser1: 9 (Authentication service cannot retrieve authentication info)

# cat /var/log/sssd/krb5_child.log | grep -i "Clock skew too great"
(Fri Jan 16 02:54:03 2015) [[sssd[krb5_child[7013]]]] [get_and_save_tgt] (0x0020): 996: [-1765328236][Clock skew too great in KDC reply]
(Fri Jan 16 02:54:03 2015) [[sssd[krb5_child[7013]]]] [map_krb5_error] (0x0020): 1065: [-1765328236][Clock skew too great in KDC reply]

Domain log shows:
(Fri Jan 16 02:54:03 2015) [sssd[be[LDAP-KRB5]]] [be_mark_offline] (0x2000): Going offline!

Comment 11 errata-xmlrpc 2015-03-05 10:26:53 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0441.html

Note You need to log in before you can comment on or make changes to this bug.