Ticket History #7118: spurious kadmind clockskew errors, probably due to entropy shortage at startup

# Thu Apr 19 13:32:59 2012 Brian F Knoll <bknoll@MIT.EDU> - Ticket created

From:	Brian F Knoll <bknoll@MIT.EDU>
To:	"krb5-bugs@mit.edu" <krb5-bugs@MIT.EDU>
Subject:	Possible kadmin bug in Ubuntu 12.04
Date:	Thu, 19 Apr 2012 16:20:58 +0000

Download (untitled) / with headers
text/plain 1KiB

Download (untitled) / with headers
text/html 2.9KiB

I have found what I think might be a kadmin bug in Kerberos 5 as shipped in Ubuntu 12.04.

If I create an Ubuntu 12.04 installation in a VM, then install the krb5-kdc and krb5-admin-server packages, I can create a test realm. Once I do this, I can use kadmin.local to add principals, and I can kinit to those principals. That all works fine.

However, when I try to use kadmin to connect to the admin server, it hangs for a few minutes, then fails with an “Unspecified GSS failure: clock skew too great” error. This is even when I use kadmin to connect to the same machine, meaning that the clock would by definition have to be correct. I started to file a bug report on Ubuntu’s Launchpad site but it mentioned this email address, so I thought I would check here first to see if I should be reporting the bug here instead of on Launchpad. This all works fine if I use an Ubuntu 10.04 VM instead of an Ubuntu 12.04 VM.

If I should, instead, report this bug to Ubuntu (if it is a packaging error, perhaps), then please let me know so I may do so.

Thanks,

Brian

# Fri Apr 20 13:03:44 2012 tlyu (Taylor Yu) - Correspondence added

To:	rt@krbdev.MIT.EDU
Subject:	Re: [krbdev.mit.edu #7118] Possible kadmin bug in Ubuntu 12.04
From:	Tom Yu <tlyu@MIT.EDU>
Date:	Fri, 20 Apr 2012 13:03:42 -0400
RT-Send-Cc:

Download (untitled) / with headers
text/plain 1.3KiB

"Brian F Knoll via RT" <rt-comment@krbdev.mit.edu> writes:

Show quoted text

> If I create an Ubuntu 12.04 installation in a VM, then install the krb5-kdc and krb5-admin-server packages, I can create a test realm. Once I do this, I can use kadmin.local to add principals, and I can kinit to those principals. That all works fine.
>
> However, when I try to use kadmin to connect to the admin server, it hangs for a few minutes, then fails with an "Unspecified GSS failure: clock skew too great" error. This is even when I use kadmin to connect to the same machine, meaning that the clock would by definition have to be correct. I started to file a bug report on Ubuntu's Launchpad site but it mentioned this email address, so I thought I would check here first to see if I should be reporting the bug here instead of on Launchpad. This all works fine if I use an Ubuntu 10.04 VM instead of an Ubuntu 12.04 VM.

The hanging for a few minutes sounds like it could be a network or
configuration problem; that's not a normal thing for kadmind to do.
If it primarily happens soon after starting kadmind, it could be a
problem with kadmind blocking on the random number generator.
(Anecdotal evidence suggests that this can be more common on VMs than
on bare metal.) Passing the '-W' flag to kadmind will force it to
read from the weak random number source, which will speed up its
startup at some cost to security.

# Tue Jun 19 14:54:37 2012 tlyu (Taylor Yu) - Subject changed from 'Possible kadmin bug in Ubuntu 12.04' to 'spurious kadmind clockskew errors, probably due to entropy shortage at startup'

# Tue Jun 19 14:54:38 2012 tlyu (Taylor Yu) - Status changed from 'new' to 'resolved'

# Tue Jun 19 14:54:38 2012 tlyu (Taylor Yu) - Tags nochange added