AP-REP KRB5_MUTUAL_FAILED (-1765328226L) and Leap Seconds
dave.daugherty at centrify.com
Wed May 25 13:18:56 EDT 2011
We recently stumbled upon a problem with a CentOS version 5 library that appears to factor 24 leap seconds into gmttime_r function. This may have to do with timezone settings http://old.nabble.com/Seeking-clarifaction-of-tai64nlocal-and-leap-seconds-td31298116.html
This leads to a AP-REQ/AP-REP failure because of the following
AP-REQ reads gmtime_r and converts it to an ASCII time string to be sent to the service - the gmtime_r includes leap seconds
The AP-REP that comes back and the returned time string (which is correct) eventually is given to krb5int_gmt_mktime (or gmt_mktime in older releases) where the time string is converted back into a time structure without factoring in the leap seconds
Now the mutual authentication fails because the two values - the gmttime_r sent and the gmt_mktime value are off by 24 seconds.
Why not just save the time string and then compare it against the return time string to avoid this problem?
Are there other places in the code base where this might be a problem?
More information about the krbdev