Hi, while testing the offline subdomain logins, I found out that clock skew (which is still an issue in trusted environments even after the recent MIT Kerberos changes) results in System Error.
The attached patch simply treats the skew as networking error, which results in failover and if no good serve is found, then in offline operation. It didn't seem necessary to me to add new error code, but if other developers would like ie better error reporting, I can add it easily.
>From 0007f9b4da07d6e8b7928f352b611617f4b8401a Mon Sep 17 00:00:00 2001 From: Jakub Hrozek <[email protected]> Date: Thu, 28 Nov 2013 16:00:59 +0100 Subject: [PATCH] KRB5: Go offline in case of clock skew https://fedorahosted.org/sssd/ticket/1096 In case the KDC has skewed time, we can retry with the next one and eventually go offline if no KDC has time in sync with the client. Previously, authentication with wrong time resulted in System Error. --- src/providers/krb5/krb5_child.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index bd937e8081df4a5637a4267c356c1f9a08965b42..5859223206085021d9c87cf9d04188f4d2329013 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -986,6 +986,7 @@ static errno_t map_krb5_error(krb5_error_code kerr) case KRB5_LIBOS_CANTREADPWD: return ERR_NO_CREDS; + case KRB5KRB_AP_ERR_SKEW: case KRB5_KDC_UNREACH: case KRB5_REALM_CANT_RESOLVE: return ERR_NETWORK_IO; -- 1.8.4.2
_______________________________________________ sssd-devel mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
