AP-REP KRB5_MUTUAL_FAILED (-1765328226L) and Leap Seconds

Dave Daugherty dave.daugherty at centrify.com
Wed May 25 13:18:56 EDT 2011

We recently stumbled upon a problem with a CentOS version 5 library that appears to factor 24 leap seconds into gmttime_r function. This may have to do with timezone settings http://old.nabble.com/Seeking-clarifaction-of-tai64nlocal-and-leap-seconds-td31298116.html

This leads to a AP-REQ/AP-REP failure because of the following

AP-REQ reads gmtime_r and converts it to an ASCII time string to be sent to the service - the gmtime_r includes leap seconds
The AP-REP that comes back  and the returned time string (which is correct) eventually is given to krb5int_gmt_mktime (or gmt_mktime in older releases) where the time string is converted back into a time structure without factoring in the leap seconds

Now the mutual authentication fails because the two values - the gmttime_r sent and the gmt_mktime value are off by 24 seconds.

Why not just save the time string and then compare it against the return time string to avoid this problem?
Are there other places in the code base where this might be a problem?

Dave Daugherty
Centrify Corp

More information about the krbdev mailing list