Impossible to log into a MS AD 2025 from a 32-bit GSSAPI system
Ken Hornstein
kenh at cmf.nrl.navy.mil
Wed Jul 2 14:47:52 EDT 2025
>In short, from a 32-bit client (tested on both x86 and armf), a kinit
>with such a user account fails with the message:
>
> ASN.1 failed call to system time library while getting initial
>credentials
Interestingly enough, I used to have the reverse problem. Specifically,
we had one user who used one system (pre-Unix MacOS Kerberos client)
which had an epoch before the usual 1-1-1970, and for reasons I never
quite understood their time got reset a LOT to this epoch value. When
they would try to authenticate we'd get this error on the KDC, but then
the request was dropped so they saw it as "couldn't contact any KDC".
Drove me nuts until I figured it out.
Personally I think your workaround is fine; I am not sure what systems
with a 32-bit time_t are supposed to do after Y2038 anyway.
--Ken
More information about the Kerberos
mailing list