Skip Menu |
 

Subject: kinit to AD server should be more tolerant of clock skew
Since the introduction of the get_init_creds interfaces, we have been
including a start time in all initial ticket requests, not just ones where
the caller asked for a specific start time. The start time is ignored by
MIT and Heimdal KDCs for non-postdated requests, but AD will reply with an
error if the requested start time is in the future relative to the KDC,
defeating the kdc_timesync option in one direction.

This change in the gic behavior also disabled the client check for too
much clock skew in the KDC reply, since that check only operates if the
start time was omitted in the request.
From: ghudson@mit.edu
Subject: SVN Commit
Omit start time in common AS requests

MIT and Heimdal KDCs ignore the start time for non-postdated ticket
requests, but AD yields an error if the start time is in the KDC's
future, defeating the kdc_timesync option. Omit the start time if the
caller did not specify a start time offset.

This change reenables the client check for too much clock skew in the
KDC reply in the non-timesync configuration. That check had been
unintentionally suppressed since the introduction of the
get_init_creds interfaces. Adjust the t_skew test script to expect
the new error behavior.

Code changes from stefw@gnome.org with slight modifications.

https://github.com/krb5/krb5/commit/39629e9df44ce8c4ad72fde951390acc6864407d
Commit By: ghudson
Revision: 25864
Changed Files:
U trunk/src/lib/krb5/krb/get_in_tkt.c
U trunk/src/tests/t_skew.py