Any objections to applying the latest patch in 5924?

Jeffrey Altman jaltman at
Wed Jun 18 14:55:03 EDT 2008

Tom Yu wrote:
> Jeffrey Altman <jaltman at> writes:
>> A brief Google search reveals that krb5_set_real_time() is used
>> internally to
>> the krb5 libraries and was exported so that it can be called by Samba
>> so that
>> the real time can be set to the CIFS server time specified in an
>> authentication
>> failure response.
> Is the call within the krb5 library not sufficient for the CIFS use?
They are trying with the offset determined from the KDC but when that 
fails they
call krb5_set_real_time() with the time presented by the CIFS Server.  
They then
retry with the new offset value.
>> Given its purpose I cannot imagine a use case in which a negative
>> microseconds
>> value would actually be valid?   Are there any real world systems in
>> which time is
>> reported as S seconds U microseconds where U is negative?
>> This bug is serious and is widely causing problems.   At a minimum for
>> Cornell,
>> many users of modauthkerb, and my clients.   I believe it should be
>> fixed.
> Go ahead and commit your change, and make a note that documentation
> needs to be updated.
> We should also fix the KDC side of this problem.
I will do so and note the documentation change in the ticket.  (or 
should a new doc
queue be created and a doc change request be inserted there?  that is 
what we do
for openafs)

Jeffrey Altman

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url :

More information about the krbdev mailing list