Any objections to applying the latest patch in 5924?
Jeffrey Altman
jaltman at secure-endpoints.com
Wed Jun 18 14:55:03 EDT 2008
Tom Yu wrote:
> Jeffrey Altman <jaltman at secure-endpoints.com> writes:
>
>> A brief Google search reveals that krb5_set_real_time() is used
>> internally to
>> the krb5 libraries and was exported so that it can be called by Samba
>> so that
>> the real time can be set to the CIFS server time specified in an
>> authentication
>> failure response.
>
> Is the call within the krb5 library not sufficient for the CIFS use?
They are trying with the offset determined from the KDC but when that
fails they
call krb5_set_real_time() with the time presented by the CIFS Server.
They then
retry with the new offset value.
>> Given its purpose I cannot imagine a use case in which a negative
>> microseconds
>> value would actually be valid? Are there any real world systems in
>> which time is
>> reported as S seconds U microseconds where U is negative?
>>
>> This bug is serious and is widely causing problems. At a minimum for
>> Cornell,
>> many users of modauthkerb, and my clients. I believe it should be
>> fixed.
>
> Go ahead and commit your change, and make a note that documentation
> needs to be updated.
> We should also fix the KDC side of this problem.
I will do so and note the documentation change in the ticket. (or
should a new doc
queue be created and a doc change request be inserted there? that is
what we do
for openafs)
Jeffrey Altman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20080618/7960af19/attachment.bin
More information about the krbdev
mailing list