AP-REP KRB5_MUTUAL_FAILED (-1765328226L) and Leap Seconds

Tom Yu tlyu at MIT.EDU
Wed May 25 20:20:49 EDT 2011

Dave Daugherty <dave.daugherty at centrify.com> writes:

>> From: Tom Yu [mailto:tlyu at MIT.EDU]
>> Sent: Wednesday, May 25, 2011 2:54 PM
>> Subject: Re: AP-REP KRB5_MUTUAL_FAILED (-1765328226L) and Leap Seconds
>> This is not the first time I've heard of this problem (thanks to Love
>> Hörnquist Åstrand for pointing it out before, along with a possible
>> solution), but I'd like to have more information about how common it
>> is.
> Sorry for the redundancy.

No problem; it not was mentioned on any public list that I recall.

> This is the first time we have seen this problem in 7 years of customers.
> I suspect we will see it more and more.

I feel like the "right" timezones should come with a big warning label
indicating that they could cause all sorts of software to break
because they cause the "Unix time" to no longer conform to POSIX,
regardless any advantage those timezones provide.

It would be really useful to know if any operating systems install
using those "right" timezones as a default.  Anyone have more
information about this?

> I may have to take a crack at solving this soon. If so I will post my fix.
> Sounds like you would prefer the roll-your-own gmtime. Seems reasonable to me.

Thanks.  I think a better solution than rolling our own gmtime() would
be to use the platform native gmtime() and timegm() if _both_ are
available, but I would really prefer to be able to discourage people
from using timezones that count leap seconds (thus breaking POSIX
time), at least given the way the timzeone libraries are currently

More information about the krbdev mailing list