Fwd: Gss context refresh failure due to clock skew

Fwd: Gss context refresh failure due to clock skew

[Adamson, Andy]

QnJpbmdpbmcgaW4gdGhlIE5GU3Y0IGFuZCBLZXJiZXJvcyBsaXN0Lg0KDQrigJQ+QW5keQ0KDQo+
IEJlZ2luIGZvcndhcmRlZCBtZXNzYWdlOg0KPiANCj4gRnJvbTogQW5keSBBZGFtc29uIDxhbmRy
b3NAbmV0YXBwLmNvbT4NCj4gU3ViamVjdDogR3NzIGNvbnRleHQgcmVmcmVzaCBmYWlsdXJlDQo+
IERhdGU6IE9jdG9iZXIgMSwgMjAxNSBhdCA0OjM5OjA2IFBNIEVEVA0KPiBUbzogQnJ1Y2UgRmll
bGRzIDxiZmllbGRzQGZpZWxkc2VzLm9yZz4NCj4gQ2M6IFNpbW8gU29yY2UgPHNpbW9AcmVkaGF0
LmNvbT4NCj4gDQo+IEhpIEJydWNlLCBTaW1vDQo+IA0KPiBXZSBhcmUgc2VlaW5nIGEgZmFpbHVy
ZSBvbiBHU1MgY29udGV4dCByZW5ld2FsIGJldHdlZW4gdGhlIExpbnV4IGNsaWVudCBhbmQgTmV0
QXBwLCBzbyBJIHRlc3RlZCBMaW51eCBjbGllbnQgdG8gTGludXggc2VydmVyIGFuZCBzZWUgYSBz
aW1pbGFyIHNpdHVhdGlvbi4NCj4gDQo+IFRoZSBzaXR1YXRpb24gb2NjdXJzIGFzIGZvbGxvd3Mu
DQo+IA0KPiAxKSBGb3Igc2ltcGxpY2l0eSAsIHNldCB0aGUgY2xpZW50IGFuZCBzZXJ2ZXIgdG8g
Ym90aCBoYXZlIHRoZSBzYW1lIEtlcmJlcm9zIGNsb2NrIHNrZXcgLSBJIGxlYXZlIHRoZSBkZWZh
dWx0IDUgbWludXRlcy4NCj4gMikgRm9yIGNvbnZlbmllbmNlLCBJIHNldCB0aGUgVEdTIGxpZmV0
aW1lcyB0byBiZSBhcyBzaG9ydCBhcyBwb3NzaWJsZSwgMTAgbWludXRlcyBmb3IgV2luMjAwOFIy
IEFEIHdoaWNoIEkgdGVzdCB3aXRoLg0KPiAzKSBDbGllbnQgY2xvY2sgaXMgc2V0IHRvIHRoZSBL
REMgKFdpbkFEKSBjbG9jayB2aWEgTlRQLg0KPiA0KSBTZXQgdGhlIHNlcnZlciBjbG9jayB0byBi
ZSAyLTMgbWludXRlcyBhaGVhZCBvZiB0aGUgY2xpZW50IGNsb2NrLCBidXQgc3RpbGwgd2l0aGlu
IHRoZSBLZXJiZXJvcyBjbG9jayBza2V3Lg0KPiA1KSBNb3VudCBORlMgd2l0aCAtbyBzZWM9a3Ji
NSAtIHRoaXMgc3VjY2VlZHMgYmVjYXVzZSBjbG9ja3MgYXJlIHdpdGhpbiB0aGUgS2VyYmVyb3Mg
Y2xvY2sgc2tldw0KPiA2KSBPbiB0aGUgY2xpZW50IGtsaXN0IC1jZSB0aGUgbWFjaGluZSBjcmVk
cyB0byBub3RlIHRoZSBzZXJ2ZXIgVEdTIGV4cGlyeSB0aW1lDQo+IDcpIE9uIHRoZSBzZXJ2ZXIs
IHdhaXQgdW50aWwgdGhlIGNsaWVudOKAmXMgc2VydmVyVEdTIGV4cGlyeSB0aW1lIGhhcyBqdXN0
IHBhc3NlZC4gTm90ZSBhdCB0aGlzIHRpbWUgdGhhdCBhY2NvcmRpbmcgdG8gdGhlIGNsaWVudCBj
bG9jaywgdGhlIFRHUyBoYXMgMi0zIG1pbnV0ZXMgb2YgYmVpbmcgdmFsaWQsIGJ1dCBvbiB0aGUg
c2VydmVyLCB0aGUgVEdTIHdpbGwgaGF2ZSBleHBpcmVkLg0KPiA4KSBPbiB0aGUgY2xpZW50LCBt
YWtlIGEgbmV3IGRpcmVjdG9yeTogbWtkaXIgL21udHBvaW50L2JsYWgNCj4gVGhlIGNsaWVudCBz
ZW5kcyBhbiBORlMgQUNDRVNTIChmb3IgdGhlIG1rZGlyKSBjYWxsIHdoaWNoIGdldHMgYmFjayBh
biBBVVRIX0VSUk9SLCBHU1MgY3JlZGVudGlhbCBwcm9ibGVtLg0KPiBUaGlzIHBva2VzIHRoZSBj
bGllbnQgdG8gZG8gYW4gdXBjYWxsIHRvIHJlZnJlc2ggdGhlIEdTUyBjb250ZXh0Lg0KPiA5KSBU
aGUgY2xpZW50IHNlbmRzIGEgTlVMTCBjYWxsIFJQQ1NFQ19HU1NfSU5JVCwgdXNpbmcgdGhlIFRH
UyBpbiB0aGUgY3JlZGVudGlhbCBjYWNoZSAobm8gY2FsbCB0byBLREMgZm9yIG5ldyBUR1MpIGJl
Y2F1c2UgdGhlIGNsaWVudCBjbG9jayBzYXlzIHRoZSBUR1MgaXMgc3RpbGwgdmFsaWQuDQo+IA0K
PiAxMCkgT05UQVA6IFRoZSBzZXJ2ZXIgcmVwbGllcyB0byB0aGUgTlVMTCBjYWxsIHdpdGggYW4g
YSBHU1MgbWlub3Igc3RhdHVzIG9mIEdTU19TX0NSRURFTlRJQUxfRVhQSVJFRC4NCj4gDQo+IDEw
KSBMSU5VWDogVGhlIHNlcnZlciBkb2VzIG5vdCByZXBseSB0byB0aGUgTlVMTCBSUENTRUNfR1NT
X0lOSVQgY2FsbCwgaW4gZmFjdCwgdGhlIExpbnV4IHNlcnZlciBzZW5kcyBhIEZJTiB0byB0aGUg
Y2xpZW50IGdzc2QgY29ubmVjdGlvbi4NCj4gDQo+IDExKSBUaGUgbWtkaXIgcmVxdWVzdCBnZXRz
IHBlcm1pc3Npb24gZGVuaWVkDQo+IA0KPiAxMikgV2FpdCB1bnRpbCB0aGUgY2xpZW50IGNsb2Nr
IGlzIHBhc3QgdGhlIHNlcnZlciBUR1MgZXhwaXJ5IHRpbWUNCj4gMTMpIHJlLXRyeSB0aGUgbWtk
aXIgLSBpdCBzdWNjZWVkcyBhZnRlciBhIHN1Y2Nlc3NmdWwgR1NTIElOSVQgTlVMTCBjYWxsIGV4
Y2hhbmdlIGZvciBib3RoIHNlcnZlcnMuDQo+IA0KPiBJbiB0aGUgT05UQVAgY2FzZSwgdGhlIGFj
Y2VwdF9zZWNfY29udGV4dCBjYWxsIGludG8gdGhlIE1JVCBsaWJyYXJpZXMgZmFpbHMgKGV2ZW4g
dGhvdWdoIGtyYjVfY2hlY2tfY2xvY2tza2V3KCkgaXMgYXBwYXJlbnRseSBjYWxsZWQpLiBJIGJl
bGlldmUgdGhlIGdzc19wcm94eSBvbiBMaW51eCBhbHNvIGp1c3QgY2FsbHMgaW50byB0aGUgTUlU
IGxpYnJhcmllcy4gDQo+IA0KPiBTaG91bGRu4oCZdCB0aGVzZSByZWZyZXNoIGNhbGxzIHN1Y2Nl
ZWQ/IElzbuKAmXQgdGhlIEtlcmJlcm9zIGNsb2NrIHNrZXcgc3VwcG9zZWQgdG8gaGFuZGxlIHRo
aXMgc2l0dWF0aW9uPw0KPiANCj4g4oCUPkFuZHkNCg0K

Re: Fwd: Gss context refresh failure due to clock skew

[Greg Hudson]

Sorry for the delay; Andy's mail got stuck in the krbdev moderation
queue by mistake.

On 10/01/2015 05:30 PM, Adamson, Andy wrote:
> The situation occurs as follows.

I am a little bit confused by this description because of terminology
issues.  In your description, you appear to use the phrase "TGS" to
refer to service tickets (i.e. tickets whose service principal is
nfs/server.name), but I can't be sure.  The actual meaning of "TGS" is
"ticket-granting service," i.e. the KDC service whose principal name is
krbtgt/REALM.

> 2) For convenience, I set the TGS lifetimes to be as short as possible, 10 minutes for Win2008R2 AD which I test with.

Are you setting the maximum lifetime for nfs/server.name tickets to 10
minutes, but still allowing ticket-granting tickets to have a lifetime
of multiple hours?

>> 12) Wait until the client clock is past the server TGS expiry time
>> 13) re-try the mkdir - it succeeds after a successful GSS INIT NULL call exchange for both servers.

If I understand correctly, this request succeeds because
krb5_get_credentials() ignores the expired cached service ticket and
makes a TGS request for a new service ticket.  The cache now contains:

* A ticket for krbtgt/REALM with hours remaining
* A ticket for nfs/server.name which expired recently
* Another ticket for nfs/server.name which expires in ten minutes

Is that correct?

> Shouldn’t these refresh calls succeed? Isn’t the Kerberos clock skew supposed to handle this situation?

I think this case doesn't arise often because people don't often set
maximum service ticket lifetimes to be shorter than maximum TGT
lifetimes.  If the TGT itself has expired or is about to expire, some
out-of-band agent needs to refresh the TGT somehow, and it doesn't
matter all that much whether the failure comes from the client or the
server.

That said, your scenario should work, and it doesn't.  The primary cause
is an explicit check added to the krb5 mech's gss_accept_sec_context()
implementation in 1996 (before the MIT krb5 1.0 release), which checks
the ticket endtime with no allowance for clock skew.  I don't know
precisely why the check was added, but my guess it is for the
computation of the context validity lifetime; it would make no sense to
tell the application "the authentication succeeded and the resulting
context is valid for the next -3 minutes."

Perhaps a better choice would be to remove this check, and instead add
the clock skew to the validity lifetime of GSS krb5 acceptor contexts.

Re: Gss context refresh failure due to clock skew

[Adamson, Andy]

DQo+IE9uIE9jdCA1LCAyMDE1LCBhdCAzOjEwIFBNLCBHcmVnIEh1ZHNvbiA8Z2h1ZHNvbkBNSVQu
RURVPiB3cm90ZToNCj4gDQo+IFNvcnJ5IGZvciB0aGUgZGVsYXk7IEFuZHkncyBtYWlsIGdvdCBz
dHVjayBpbiB0aGUga3JiZGV2IG1vZGVyYXRpb24NCj4gcXVldWUgYnkgbWlzdGFrZS4NCj4gDQo+
IE9uIDEwLzAxLzIwMTUgMDU6MzAgUE0sIEFkYW1zb24sIEFuZHkgd3JvdGU6DQo+PiBUaGUgc2l0
dWF0aW9uIG9jY3VycyBhcyBmb2xsb3dzLg0KPiANCj4gSSBhbSBhIGxpdHRsZSBiaXQgY29uZnVz
ZWQgYnkgdGhpcyBkZXNjcmlwdGlvbiBiZWNhdXNlIG9mIHRlcm1pbm9sb2d5DQo+IGlzc3Vlcy4g
IEluIHlvdXIgZGVzY3JpcHRpb24sIHlvdSBhcHBlYXIgdG8gdXNlIHRoZSBwaHJhc2UgIlRHUyIg
dG8NCj4gcmVmZXIgdG8gc2VydmljZSB0aWNrZXRzIChpLmUuIHRpY2tldHMgd2hvc2Ugc2Vydmlj
ZSBwcmluY2lwYWwgaXMNCj4gbmZzL3NlcnZlci5uYW1lKSwgYnV0IEkgY2FuJ3QgYmUgc3VyZS4g
IFRoZSBhY3R1YWwgbWVhbmluZyBvZiAiVEdTIiBpcw0KPiAidGlja2V0LWdyYW50aW5nIHNlcnZp
Y2UsIiBpLmUuIHRoZSBLREMgc2VydmljZSB3aG9zZSBwcmluY2lwYWwgbmFtZSBpcw0KPiBrcmJ0
Z3QvUkVBTE0uDQoNCkhpIEdyZWcNCg0KUGFyZG9uIG15IHRlcm1pbm9sb2d5IGdhZmYuIEkgbWVh
biBhIHRpY2tldCBmb3IgbmZzL3NlcnZlci5uYW1lLg0KDQo+IA0KPj4gMikgRm9yIGNvbnZlbmll
bmNlLCBJIHNldCB0aGUgVEdTIGxpZmV0aW1lcyB0byBiZSBhcyBzaG9ydCBhcyBwb3NzaWJsZSwg
MTAgbWludXRlcyBmb3IgV2luMjAwOFIyIEFEIHdoaWNoIEkgdGVzdCB3aXRoLg0KPiANCj4gQXJl
IHlvdSBzZXR0aW5nIHRoZSBtYXhpbXVtIGxpZmV0aW1lIGZvciBuZnMvc2VydmVyLm5hbWUgdGlj
a2V0cyB0byAxMA0KPiBtaW51dGVzLCBidXQgc3RpbGwgYWxsb3dpbmcgdGlja2V0LWdyYW50aW5n
IHRpY2tldHMgdG8gaGF2ZSBhIGxpZmV0aW1lDQo+IG9mIG11bHRpcGxlIGhvdXJzPw0KDQpbcm9v
dEByaGVsNi03Z2Egc2xlcy1rZXJuZWxdIyBrbGlzdCAtY2UgL3RtcC9rcmI1Y2NfbWFjaGluZV9B
TkRST1NBRC5GQUtFDQpUaWNrZXQgY2FjaGU6IEZJTEU6L3RtcC9rcmI1Y2NfbWFjaGluZV9BTkRS
T1NBRC5GQUtFDQpEZWZhdWx0IHByaW5jaXBhbDogbmZzL3JoZWw2LTdnYS5hbmRyb3NhZC5mYWtl
QEFORFJPU0FELkZBS0UNCg0KVmFsaWQgc3RhcnRpbmcgICAgIEV4cGlyZXMgICAgICAgICAgICBT
ZXJ2aWNlIHByaW5jaXBhbA0KMDkvMzAvMTUgMTE6NTc6MDIgIDA5LzMwLzE1IDEyOjU3OjAyICBr
cmJ0Z3QvQU5EUk9TQUQuRkFLRUBBTkRST1NBRC5GQUtFDQogICAgICAgIHJlbmV3IHVudGlsIDEw
LzA3LzE1IDExOjU3OjAyLCBFdHlwZSAoc2tleSwgdGt0KTogYWVzMjU2LWN0cy1obWFjLXNoYTEt
OTYsIGFlczI1Ni1jdHMtaG1hYy1zaGExLTk2DQowOS8zMC8xNSAxMTo1NzowMiAgMDkvMzAvMTUg
MTI6MDc6MDIgIG5mcy9yaGVsNy0xZ2EtNC5hbmRyb3NhZC5mYWtlQEFORFJPU0FELkZBS0UNCiAg
ICAgICAgcmVuZXcgdW50aWwgMTAvMDcvMTUgMTE6NTc6MDIsIEV0eXBlIChza2V5LCB0a3QpOiBh
cmNmb3VyLWhtYWMsIGFyY2ZvdXItaG1hYw0KDQoNCj4gDQo+Pj4gMTIpIFdhaXQgdW50aWwgdGhl
IGNsaWVudCBjbG9jayBpcyBwYXN0IHRoZSBzZXJ2ZXIgVEdTIGV4cGlyeSB0aW1lDQo+Pj4gMTMp
IHJlLXRyeSB0aGUgbWtkaXIgLSBpdCBzdWNjZWVkcyBhZnRlciBhIHN1Y2Nlc3NmdWwgR1NTIElO
SVQgTlVMTCBjYWxsIGV4Y2hhbmdlIGZvciBib3RoIHNlcnZlcnMuDQo+IA0KPiBJZiBJIHVuZGVy
c3RhbmQgY29ycmVjdGx5LCB0aGlzIHJlcXVlc3Qgc3VjY2VlZHMgYmVjYXVzZQ0KPiBrcmI1X2dl
dF9jcmVkZW50aWFscygpIGlnbm9yZXMgdGhlIGV4cGlyZWQgY2FjaGVkIHNlcnZpY2UgdGlja2V0
IGFuZA0KPiBtYWtlcyBhIFRHUyByZXF1ZXN0IGZvciBhIG5ldyBzZXJ2aWNlIHRpY2tldC4gIFRo
ZSBjYWNoZSBub3cgY29udGFpbnM6DQo+IA0KPiAqIEEgdGlja2V0IGZvciBrcmJ0Z3QvUkVBTE0g
d2l0aCBob3VycyByZW1haW5pbmcNCj4gKiBBIHRpY2tldCBmb3IgbmZzL3NlcnZlci5uYW1lIHdo
aWNoIGV4cGlyZWQgcmVjZW50bHkNCj4gKiBBbm90aGVyIHRpY2tldCBmb3IgbmZzL3NlcnZlci5u
YW1lIHdoaWNoIGV4cGlyZXMgaW4gdGVuIG1pbnV0ZXMNCj4gDQo+IElzIHRoYXQgY29ycmVjdD8N
Cg0KWWVzLCBhbmQgdGhlIG5ldyBzZXJ2aWNlIHRpY2tldCBwcm9kdWNlcyBhbiBSUENTRUNfR1NT
X0lOSVQgdG9rZW4gdGhhdCBoYXMgYW4gZXhwaXJ5IHRoYXQgcGFzc2VzIHRoZSBzZXJ2ZXJzIGNs
b2NrIHRlc3QuDQoNCj4gDQo+PiBTaG91bGRu4oCZdCB0aGVzZSByZWZyZXNoIGNhbGxzIHN1Y2Nl
ZWQ/IElzbuKAmXQgdGhlIEtlcmJlcm9zIGNsb2NrIHNrZXcgc3VwcG9zZWQgdG8gaGFuZGxlIHRo
aXMgc2l0dWF0aW9uPw0KPiANCj4gSSB0aGluayB0aGlzIGNhc2UgZG9lc24ndCBhcmlzZSBvZnRl
biBiZWNhdXNlIHBlb3BsZSBkb24ndCBvZnRlbiBzZXQNCj4gbWF4aW11bSBzZXJ2aWNlIHRpY2tl
dCBsaWZldGltZXMgdG8gYmUgc2hvcnRlciB0aGFuIG1heGltdW0gVEdUDQo+IGxpZmV0aW1lcy4g
IA0KDQpOb3QgdGhlIGNhdXNlIG9mIHRoZSBpc3N1ZS4gVGhlIHNlcnZpY2UgdGlja2V0IGxpZmV0
aW1lIG9mIDEwIG1pbnV0ZXMgaXMganVzdCB0aGVyZSBmb3IgdGVzdGluZyB0aGlzIGlzc3VlIGFz
IEkgbmVlZGVkIHRvIHdhaXQgdW50aWwgdGhlIHNlcnZpY2UgdGlja2V0IGhhZCDigJhleHBpcmVk
4oCZIG9uIHRoZSBzZXJ2ZXIgLSBidXQgbm90IHlldCBvbiB0aGUgY2xpZW50Lg0KDQpXZSBzZWUg
dGhpcyBpc3N1ZSBhbGwgdGhlIHRpbWUgaW4gTmV0QXBwIFFBIGFzIHdlIHJ1biBtdXRpcGxlIGRh
eSBoZWF2eSBJTyB0ZXN0cyBhZ2FpbnN0IGEga2VyYmVyb3MgbW91bnQuIElmIHRoZSBzZXJ2ZXIg
Y2xvY2sgaXMgYWhlYWQgb2YgdGhlIGNsaWVudCBjbG9jaywgcGVybWlzc2lvbiBkZW5pZWQgZXJy
b3JzIHN0b3AgdGhlIHRlc3QgYXMgdGhlIGZpcnN0IHNlcnZpY2UgdGlja2V0IOKAnGV4cGlyZXPi
gJ0gb24gdGhlIHNlcnZlciBidXQgbm90IG9uIHRoZSBjbGllbnQuDQoNCg0KPiBJZiB0aGUgVEdU
IGl0c2VsZiBoYXMgZXhwaXJlZCBvciBpcyBhYm91dCB0byBleHBpcmUsIHNvbWUNCj4gb3V0LW9m
LWJhbmQgYWdlbnQgbmVlZHMgdG8gcmVmcmVzaCB0aGUgVEdUIHNvbWVob3csIGFuZCBpdCBkb2Vz
bid0DQo+IG1hdHRlciBhbGwgdGhhdCBtdWNoIHdoZXRoZXIgdGhlIGZhaWx1cmUgY29tZXMgZnJv
bSB0aGUgY2xpZW50IG9yIHRoZQ0KPiBzZXJ2ZXIuDQoNCkkgdGhvdWdodCB0aGF0IGhhdmluZyBh
IGtleXRhYiBlbnRyeSBhbmQgYSByZW5ld2FibGUgVEdUIHdhcyBlbm91Z2guDQoNCj4gDQo+IFRo
YXQgc2FpZCwgeW91ciBzY2VuYXJpbyBzaG91bGQgd29yaywgYW5kIGl0IGRvZXNuJ3QuICBUaGUg
cHJpbWFyeSBjYXVzZQ0KPiBpcyBhbiBleHBsaWNpdCBjaGVjayBhZGRlZCB0byB0aGUga3JiNSBt
ZWNoJ3MgZ3NzX2FjY2VwdF9zZWNfY29udGV4dCgpDQo+IGltcGxlbWVudGF0aW9uIGluIDE5OTYg
KGJlZm9yZSB0aGUgTUlUIGtyYjUgMS4wIHJlbGVhc2UpLCB3aGljaCBjaGVja3MNCj4gdGhlIHRp
Y2tldCBlbmR0aW1lIHdpdGggbm8gYWxsb3dhbmNlIGZvciBjbG9jayBza2V3LiAgSSBkb24ndCBr
bm93DQo+IHByZWNpc2VseSB3aHkgdGhlIGNoZWNrIHdhcyBhZGRlZCwgYnV0IG15IGd1ZXNzIGl0
IGlzIGZvciB0aGUNCj4gY29tcHV0YXRpb24gb2YgdGhlIGNvbnRleHQgdmFsaWRpdHkgbGlmZXRp
bWU7IGl0IHdvdWxkIG1ha2Ugbm8gc2Vuc2UgdG8NCj4gdGVsbCB0aGUgYXBwbGljYXRpb24gInRo
ZSBhdXRoZW50aWNhdGlvbiBzdWNjZWVkZWQgYW5kIHRoZSByZXN1bHRpbmcNCj4gY29udGV4dCBp
cyB2YWxpZCBmb3IgdGhlIG5leHQgLTMgbWludXRlcy7igJ0NCg0KVGhhdCBhbHNvIG1ha2VzIG5v
IHNlbnNlIC0gc2ltcGx5IHVzZSB0aGUga2VyYmVyb3MgY2xvY2sgc2tldyBpbiB0aGUgbWVzc2Fn
ZS4gZS5nLiBpZiB0aGUgY2xvY2sgc2tldyBpcyA1IG1pbnV0ZXMsIGFuZCBpZiBhY2NvcmRpbmcg
dG8gdGhlIHNlcnZlciBjbG9jayB0aGUgdGlja2V0IGhhcyBiZWVuIGV4cGlyZWQgZm9yIDIgbWlu
dXRlcywgdGhlbiB0aGUgbWVzc2FnZSBiZWNvbWVzICJ0aGUgYXV0aGVudGljYXRpb24gc3VjY2Vl
ZGVkIGFuZCB0aGUgcmVzdWx0aW5nIGNvbnRleHQgaXMgdmFsaWQgZm9yIHRoZSBuZXh0IDMgbWlu
dXRlcy7igJ0gIGFzIHRoZXJlIGFyZSAzIG1pbnV0ZXMgbGVmdCBpbiB0aGUgc2VydmVyIGNsb2Nr
IHRpbWUgY2F2YXQgdGhlIGNvbmZpZ3VyZWQga2VyYmVyb3MgY2xvY2sgc2tldy4NCg0KDQo+IA0K
PiBQZXJoYXBzIGEgYmV0dGVyIGNob2ljZSB3b3VsZCBiZSB0byByZW1vdmUgdGhpcyBjaGVjaywg
YW5kIGluc3RlYWQgYWRkDQo+IHRoZSBjbG9jayBza2V3IHRvIHRoZSB2YWxpZGl0eSBsaWZldGlt
ZSBvZiBHU1Mga3JiNSBhY2NlcHRvciBjb250ZXh0cy4NCg0KWWVzLiBUaGF0IGlzIG15IG9waW5p
b24uDQoNCuKAlD5BbmR5DQoNCg==

Re: Gss context refresh failure due to clock skew

[Greg Hudson]

On 10/05/2015 03:35 PM, Adamson, Andy wrote:
>> I think this case doesn't arise often because people don't often set
>> maximum service ticket lifetimes to be shorter than maximum TGT
>> lifetimes.  
> 
> Not the cause of the issue. The service ticket lifetime of 10 minutes is just there for testing this issue as I needed to wait until the service ticket had ‘expired’ on the server - but not yet on the client.
> 
> We see this issue all the time in NetApp QA as we run mutiple day heavy IO tests against a kerberos mount. If the server clock is ahead of the client clock, permission denied errors stop the test as the first service ticket “expires” on the server but not on the client.

If the issue is not caused by short-lifetime service principals, then
the test scenario you described isn't representative of the real
scenario.  To reproduce the problem as it manifests in your IO tests,
you will need to adjust the TGT lifetime down to ten minutes as well as
the nfs/server lifetime.

>> If the TGT itself has expired or is about to expire, some
>> out-of-band agent needs to refresh the TGT somehow, and it doesn't
>> matter all that much whether the failure comes from the client or the
>> server.
> 
> I thought that having a keytab entry and a renewable TGT was enough.

I'm not sure why you would do both of these; if you're getting initial
creds with a keytab, there is no need to muck around with ticket renewal.

Anyway, gss_init_sec_context() never renews tickets, and only gets
tickets from a keytab when a client keytab is configured (new in 1.11).
 When tickets are obtained using a client keytab, they are refreshed
from the keytab when they are halfway to expiring, so this clock skew
issue should not arise, so I don't think that feature is being used.

It is possible that the NFS client code has its own separate logic for
obtaining new tickets using a keytab.  If so, we need to understand how
it works.  It's possible (though unlikely) that changing the behavior of
gss_accept_sec_context() wouldn't be sufficient by itself.

Re: Gss context refresh failure due to clock skew

[Adamson, Andy]

DQo+IE9uIE9jdCA1LCAyMDE1LCBhdCA0OjAyIFBNLCBHcmVnIEh1ZHNvbiA8Z2h1ZHNvbkBNSVQu
RURVPiB3cm90ZToNCj4gDQo+IE9uIDEwLzA1LzIwMTUgMDM6MzUgUE0sIEFkYW1zb24sIEFuZHkg
d3JvdGU6DQo+Pj4gSSB0aGluayB0aGlzIGNhc2UgZG9lc24ndCBhcmlzZSBvZnRlbiBiZWNhdXNl
IHBlb3BsZSBkb24ndCBvZnRlbiBzZXQNCj4+PiBtYXhpbXVtIHNlcnZpY2UgdGlja2V0IGxpZmV0
aW1lcyB0byBiZSBzaG9ydGVyIHRoYW4gbWF4aW11bSBUR1QNCj4+PiBsaWZldGltZXMuICANCj4+
IA0KPj4gTm90IHRoZSBjYXVzZSBvZiB0aGUgaXNzdWUuIFRoZSBzZXJ2aWNlIHRpY2tldCBsaWZl
dGltZSBvZiAxMCBtaW51dGVzIGlzIGp1c3QgdGhlcmUgZm9yIHRlc3RpbmcgdGhpcyBpc3N1ZSBh
cyBJIG5lZWRlZCB0byB3YWl0IHVudGlsIHRoZSBzZXJ2aWNlIHRpY2tldCBoYWQg4oCYZXhwaXJl
ZOKAmSBvbiB0aGUgc2VydmVyIC0gYnV0IG5vdCB5ZXQgb24gdGhlIGNsaWVudC4NCj4+IA0KPj4g
V2Ugc2VlIHRoaXMgaXNzdWUgYWxsIHRoZSB0aW1lIGluIE5ldEFwcCBRQSBhcyB3ZSBydW4gbXV0
aXBsZSBkYXkgaGVhdnkgSU8gdGVzdHMgYWdhaW5zdCBhIGtlcmJlcm9zIG1vdW50LiBJZiB0aGUg
c2VydmVyIGNsb2NrIGlzIGFoZWFkIG9mIHRoZSBjbGllbnQgY2xvY2ssIHBlcm1pc3Npb24gZGVu
aWVkIGVycm9ycyBzdG9wIHRoZSB0ZXN0IGFzIHRoZSBmaXJzdCBzZXJ2aWNlIHRpY2tldCDigJxl
eHBpcmVz4oCdIG9uIHRoZSBzZXJ2ZXIgYnV0IG5vdCBvbiB0aGUgY2xpZW50Lg0KPiANCj4gSWYg
dGhlIGlzc3VlIGlzIG5vdCBjYXVzZWQgYnkgc2hvcnQtbGlmZXRpbWUgc2VydmljZSBwcmluY2lw
YWxzLA0KDQpJIHdhcyB3cm9uZyAtIHlvdSBhcmUgcmlnaHQsIGl0IGlzIGNhdXNlZCBieSBzZXJ2
aWNlIHRpY2tldCBsaWZldGltZXMgYmVpbmcgc2hvcnRlciB0aGFuIFRHVCBsaWZldGltZXMuDQoN
CkkgZGlkbuKAmXQga25vdyBzZXR0aW5nIHRoZSBzZXJ2aWNlIHRpY2tldCBsaWZldGltZXMgdG8g
bm90IGJlIGxlc3MgdGhhbiBUR1QgbGlmZXRpbWVzIHdhcyBhIHJlcXVpcmVtZW50LiBOZWl0aGVy
IGRvZXMgTmV0QXBwIFFBIGFuZCBJIHN1c3BlY3QsIG5laXRoZXIgZG8gY3VzdG9tZXJzIGluIGdl
bmVyYWwuDQoNCj4gdGhlbg0KPiB0aGUgdGVzdCBzY2VuYXJpbyB5b3UgZGVzY3JpYmVkIGlzbid0
IHJlcHJlc2VudGF0aXZlIG9mIHRoZSByZWFsDQo+IHNjZW5hcmlvLiAgVG8gcmVwcm9kdWNlIHRo
ZSBwcm9ibGVtIGFzIGl0IG1hbmlmZXN0cyBpbiB5b3VyIElPIHRlc3RzLA0KPiB5b3Ugd2lsbCBu
ZWVkIHRvIGFkanVzdCB0aGUgVEdUIGxpZmV0aW1lIGRvd24gdG8gdGVuIG1pbnV0ZXMgYXMgd2Vs
bCBhcw0KPiB0aGUgbmZzL3NlcnZlciBsaWZldGltZS4NCg0KQ29kZSB3YXMgYWRkZWQgdG8gcnBj
Lmdzc2QsIHRoZSBORlMgY2xpZW50IGFnZW50IHRoYXQgY3JlYXRlcyBHU1MgY29udGV4dHMgZm9y
IE5GUywgdG8gdGFrZSBpbnRvIGFjY291bnQgdGhlIGNsb2NrIHNrZXcgYW5kIGdldCBhIG5ldyBU
R1QgYmVmb3JlIChub3crY2xvY2sgc2tldykuIFNvIGlmIHRoZSBzZXJ2aWNlIHRpY2tldCBsaWZl
dGltZSBpcyBlcXVhbCB0byBvciBncmVhdGVyIHRoYW4gdGhlIFRHVCBsaWZldGltZSwgdGhlbiBh
bGwgaXMgd2VsbC4NCg0KPiANCj4+PiBJZiB0aGUgVEdUIGl0c2VsZiBoYXMgZXhwaXJlZCBvciBp
cyBhYm91dCB0byBleHBpcmUsIHNvbWUNCj4+PiBvdXQtb2YtYmFuZCBhZ2VudCBuZWVkcyB0byBy
ZWZyZXNoIHRoZSBUR1Qgc29tZWhvdywgYW5kIGl0IGRvZXNuJ3QNCj4+PiBtYXR0ZXIgYWxsIHRo
YXQgbXVjaCB3aGV0aGVyIHRoZSBmYWlsdXJlIGNvbWVzIGZyb20gdGhlIGNsaWVudCBvciB0aGUN
Cj4+PiBzZXJ2ZXIuDQo+PiANCj4+IEkgdGhvdWdodCB0aGF0IGhhdmluZyBhIGtleXRhYiBlbnRy
eSBhbmQgYSByZW5ld2FibGUgVEdUIHdhcyBlbm91Z2guDQo+IA0KPiBJJ20gbm90IHN1cmUgd2h5
IHlvdSB3b3VsZCBkbyBib3RoIG9mIHRoZXNlOyBpZiB5b3UncmUgZ2V0dGluZyBpbml0aWFsDQo+
IGNyZWRzIHdpdGggYSBrZXl0YWIsIHRoZXJlIGlzIG5vIG5lZWQgdG8gbXVjayBhcm91bmQgd2l0
aCB0aWNrZXQgcmVuZXdhbC4NCg0KSSB3b3VsZG7igJl0LCBidXQgUUEgYW5kIGN1c3RvbWVycyBk
by4NCg0KPiANCj4gQW55d2F5LCBnc3NfaW5pdF9zZWNfY29udGV4dCgpIG5ldmVyIHJlbmV3cyB0
aWNrZXRzLCBhbmQgb25seSBnZXRzDQo+IHRpY2tldHMgZnJvbSBhIGtleXRhYiB3aGVuIGEgY2xp
ZW50IGtleXRhYiBpcyBjb25maWd1cmVkIChuZXcgaW4gMS4xMSkuDQo+IFdoZW4gdGlja2V0cyBh
cmUgb2J0YWluZWQgdXNpbmcgYSBjbGllbnQga2V5dGFiLCB0aGV5IGFyZSByZWZyZXNoZWQNCj4g
ZnJvbSB0aGUga2V5dGFiIHdoZW4gdGhleSBhcmUgaGFsZndheSB0byBleHBpcmluZywNCg0KcmVm
cmVzaGVkIGJ54oCmPw0KDQo+IHNvIHRoaXMgY2xvY2sgc2tldw0KPiBpc3N1ZSBzaG91bGQgbm90
IGFyaXNlLCBzbyBJIGRvbid0IHRoaW5rIHRoYXQgZmVhdHVyZSBpcyBiZWluZyB1c2VkLg0KPiAN
Cj4gSXQgaXMgcG9zc2libGUgdGhhdCB0aGUgTkZTIGNsaWVudCBjb2RlIGhhcyBpdHMgb3duIHNl
cGFyYXRlIGxvZ2ljIGZvcg0KPiBvYnRhaW5pbmcgbmV3IHRpY2tldHMgdXNpbmcgYSBrZXl0YWIu
ICANCg0KV2hlbiBhbiBORlMgcmVxdWVzdCByZXF1aXJlcyBhIEdTUyBjb250ZXh0LCBpZiB0aGUg
Y29udGV4dCBkb2VzIG5vdCBleGlzdCwgaXMgbm90IHZhbGlkLCBvciBpZiBpdCBpcyB2YWxpZCBi
dXQgdGhlIHNlcnZlciByZXBsaWVzIHRvIGFuIFJQQyByZXF1ZXN0IHVzaW5nIGEgR1NTIGNvbnRl
eHQgd2l0aCBhbiBSUEMgZXJyb3IgdGhhdCBpbmRpY2F0ZXMgaXTigJlzIHNpZGUgb2YgdGhlIEdT
UyBjb250ZXh0IGhhcyBhIHByb2JsZW0sIHRoZSBjbGllbnQga2VybmVsIGRvZXMgYW4gdXBjYWxs
IHRvIHJwYy5nc3NkIHdoaWNoIHRoZW4gZGVjaWRlcyBpZiBhIG5ldyBzZXJ2aWNlIHRpY2tldCBp
cyByZXF1aXJlZCB0byBzZW5kIGFuIFJQQ1NFQ19HU1NfSU5JVCBtZXNzYWdlIHRvIHRoZSBzZXJ2
ZXIgdG8gY3JlYXRlIGEgbmV3IEdTUyBjb250ZXh0LiBUaGUgcmVzdWx0YW50IEdTUyBjb250ZXh0
IGlzIHN0b3JlZCBpbiB0aGUgY2xpZW50IGtlcm5lbCB3aXRoIGEgbGlmZXRpbWUgZXF1YWwgdG8g
dGhlIHNlcnZpY2UgdGlja2V0IHVzZWQgdG8gY3JlYXRlIGl0Lg0KDQpJZiBycGMuZ3NzZCBjYWxs
cyB0aGUgY29kZSB0aGF0IHJlZnJlc2hlcyB0aGUgdGlja2V0cyBmcm9tIHRoZSBrZXl0YWIgd2hl
biB0aGV5IGFyZSBoYWxmIHdheSB0byBleHBpcmluZ+KAmSB0aGVuIHRoYXQgc2hvdWxkIG1pdGln
YXRlIHRoZSBjbG9jayBza2V3IGlzc3VlLg0KDQoNCj4gSWYgc28sIHdlIG5lZWQgdG8gdW5kZXJz
dGFuZCBob3cNCj4gaXQgd29ya3MuICBJdCdzIHBvc3NpYmxlICh0aG91Z2ggdW5saWtlbHkpIHRo
YXQgY2hhbmdpbmcgdGhlIGJlaGF2aW9yIG9mDQo+IGdzc19hY2NlcHRfc2VjX2NvbnRleHQoKSB3
b3VsZG4ndCBiZSBzdWZmaWNpZW50IGJ5IGl0c2VsZi4NCg0K

Re: Gss context refresh failure due to clock skew

[Benjamin Kaduk]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 4315 bytes --]

On Mon, 5 Oct 2015, Adamson, Andy wrote:

>
> > On Oct 5, 2015, at 4:02 PM, Greg Hudson <ghudson@MIT.EDU> wrote:
> >
> > On 10/05/2015 03:35 PM, Adamson, Andy wrote:
> >>> I think this case doesn't arise often because people don't often set
> >>> maximum service ticket lifetimes to be shorter than maximum TGT
> >>> lifetimes.
> >>
> >> Not the cause of the issue. The service ticket lifetime of 10 minutes is just there for testing this issue as I needed to wait until the service ticket had ‘expired’ on the server - but not yet on the client.
> >>
> >> We see this issue all the time in NetApp QA as we run mutiple day heavy IO tests against a kerberos mount. If the server clock is ahead of the client clock, permission denied errors stop the test as the first service ticket “expires” on the server but not on the client.
> >
> > If the issue is not caused by short-lifetime service principals,
>
> I was wrong - you are right, it is caused by service ticket lifetimes being shorter than TGT lifetimes.
>
> I didn’t know setting the service ticket lifetimes to not be less than
> TGT lifetimes was a requirement. Neither does NetApp QA and I suspect,
> neither do customers in general.

It's not a requirement.  (Greg explicitly said "That said, your scenario
should work, and it doesn't." in his first message.)

> > then
> > the test scenario you described isn't representative of the real
> > scenario.  To reproduce the problem as it manifests in your IO tests,
> > you will need to adjust the TGT lifetime down to ten minutes as well as
> > the nfs/server lifetime.
>
> Code was added to rpc.gssd, the NFS client agent that creates GSS
> contexts for NFS, to take into account the clock skew and get a new TGT
> before (now+clock skew). So if the service ticket lifetime is equal to
> or greater than the TGT lifetime, then all is well.
>
> >
> >>> If the TGT itself has expired or is about to expire, some
> >>> out-of-band agent needs to refresh the TGT somehow, and it doesn't
> >>> matter all that much whether the failure comes from the client or the
> >>> server.
> >>
> >> I thought that having a keytab entry and a renewable TGT was enough.
> >
> > I'm not sure why you would do both of these; if you're getting initial
> > creds with a keytab, there is no need to muck around with ticket renewal.
>
> I wouldn’t, but QA and customers do.
>
> >
> > Anyway, gss_init_sec_context() never renews tickets, and only gets
> > tickets from a keytab when a client keytab is configured (new in 1.11).
> > When tickets are obtained using a client keytab, they are refreshed
> > from the keytab when they are halfway to expiring,
>
> refreshed by…?

The GSS library itself.
http://k5wiki.kerberos.org/wiki/Projects/Keytab_initiation and
http://web.mit.edu/kerberos/krb5-latest/doc/basic/keytab_def.html#default-client-keytab
give a little bit of intro, though this feature could benefit from better
documentation.

-Ben

> > so this clock skew
> > issue should not arise, so I don't think that feature is being used.
> >
> > It is possible that the NFS client code has its own separate logic for
> > obtaining new tickets using a keytab.
>
> When an NFS request requires a GSS context, if the context does not
> exist, is not valid, or if it is valid but the server replies to an RPC
> request using a GSS context with an RPC error that indicates it’s side
> of the GSS context has a problem, the client kernel does an upcall to
> rpc.gssd which then decides if a new service ticket is required to send
> an RPCSEC_GSS_INIT message to the server to create a new GSS context.
> The resultant GSS context is stored in the client kernel with a lifetime
> equal to the service ticket used to create it.
>
> If rpc.gssd calls the code that refreshes the tickets from the keytab
> when they are half way to expiring’ then that should mitigate the clock
> skew issue.
>
>
> > If so, we need to understand how
> > it works.  It's possible (though unlikely) that changing the behavior of
> > gss_accept_sec_context() wouldn't be sufficient by itself.
>
>
> _______________________________________________
> krbdev mailing list             krbdev@mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
>

Re: Gss context refresh failure due to clock skew

[Adamson, Andy]

DQo+IE9uIE9jdCA1LCAyMDE1LCBhdCA4OjAyIFBNLCBCZW5qYW1pbiBLYWR1ayA8a2FkdWtATUlU
LkVEVT4gd3JvdGU6DQo+IA0KPiBPbiBNb24sIDUgT2N0IDIwMTUsIEFkYW1zb24sIEFuZHkgd3Jv
dGU6DQo+IA0KPj4gDQo+Pj4gT24gT2N0IDUsIDIwMTUsIGF0IDQ6MDIgUE0sIEdyZWcgSHVkc29u
IDxnaHVkc29uQE1JVC5FRFU+IHdyb3RlOg0KPj4+IA0KPj4+IE9uIDEwLzA1LzIwMTUgMDM6MzUg
UE0sIEFkYW1zb24sIEFuZHkgd3JvdGU6DQo+Pj4+PiBJIHRoaW5rIHRoaXMgY2FzZSBkb2Vzbid0
IGFyaXNlIG9mdGVuIGJlY2F1c2UgcGVvcGxlIGRvbid0IG9mdGVuIHNldA0KPj4+Pj4gbWF4aW11
bSBzZXJ2aWNlIHRpY2tldCBsaWZldGltZXMgdG8gYmUgc2hvcnRlciB0aGFuIG1heGltdW0gVEdU
DQo+Pj4+PiBsaWZldGltZXMuDQo+Pj4+IA0KPj4+PiBOb3QgdGhlIGNhdXNlIG9mIHRoZSBpc3N1
ZS4gVGhlIHNlcnZpY2UgdGlja2V0IGxpZmV0aW1lIG9mIDEwIG1pbnV0ZXMgaXMganVzdCB0aGVy
ZSBmb3IgdGVzdGluZyB0aGlzIGlzc3VlIGFzIEkgbmVlZGVkIHRvIHdhaXQgdW50aWwgdGhlIHNl
cnZpY2UgdGlja2V0IGhhZCDigJhleHBpcmVk4oCZIG9uIHRoZSBzZXJ2ZXIgLSBidXQgbm90IHll
dCBvbiB0aGUgY2xpZW50Lg0KPj4+PiANCj4+Pj4gV2Ugc2VlIHRoaXMgaXNzdWUgYWxsIHRoZSB0
aW1lIGluIE5ldEFwcCBRQSBhcyB3ZSBydW4gbXV0aXBsZSBkYXkgaGVhdnkgSU8gdGVzdHMgYWdh
aW5zdCBhIGtlcmJlcm9zIG1vdW50LiBJZiB0aGUgc2VydmVyIGNsb2NrIGlzIGFoZWFkIG9mIHRo
ZSBjbGllbnQgY2xvY2ssIHBlcm1pc3Npb24gZGVuaWVkIGVycm9ycyBzdG9wIHRoZSB0ZXN0IGFz
IHRoZSBmaXJzdCBzZXJ2aWNlIHRpY2tldCDigJxleHBpcmVz4oCdIG9uIHRoZSBzZXJ2ZXIgYnV0
IG5vdCBvbiB0aGUgY2xpZW50Lg0KPj4+IA0KPj4+IElmIHRoZSBpc3N1ZSBpcyBub3QgY2F1c2Vk
IGJ5IHNob3J0LWxpZmV0aW1lIHNlcnZpY2UgcHJpbmNpcGFscywNCj4+IA0KPj4gSSB3YXMgd3Jv
bmcgLSB5b3UgYXJlIHJpZ2h0LCBpdCBpcyBjYXVzZWQgYnkgc2VydmljZSB0aWNrZXQgbGlmZXRp
bWVzIGJlaW5nIHNob3J0ZXIgdGhhbiBUR1QgbGlmZXRpbWVzLg0KPj4gDQo+PiBJIGRpZG7igJl0
IGtub3cgc2V0dGluZyB0aGUgc2VydmljZSB0aWNrZXQgbGlmZXRpbWVzIHRvIG5vdCBiZSBsZXNz
IHRoYW4NCj4+IFRHVCBsaWZldGltZXMgd2FzIGEgcmVxdWlyZW1lbnQuIE5laXRoZXIgZG9lcyBO
ZXRBcHAgUUEgYW5kIEkgc3VzcGVjdCwNCj4+IG5laXRoZXIgZG8gY3VzdG9tZXJzIGluIGdlbmVy
YWwuDQo+IA0KPiBJdCdzIG5vdCBhIHJlcXVpcmVtZW50LiAgKEdyZWcgZXhwbGljaXRseSBzYWlk
ICJUaGF0IHNhaWQsIHlvdXIgc2NlbmFyaW8NCj4gc2hvdWxkIHdvcmssIGFuZCBpdCBkb2Vzbid0
LiIgaW4gaGlzIGZpcnN0IG1lc3NhZ2UuKQ0KDQpIaSBCZW4NCg0KT0suICBUaGlzIGRvZXMgbWVh
biB0aGF0IHVudGlsIHRoaXMgZ2V0cyBhZGRyZXNzZWQsIHdlIHdpbGwgbmVlZCB0byBwb2ludCB0
aGlzIG91dCB0byBhZG1pbmlzdHJhdG9ycy4NCg0KPiANCj4+PiB0aGVuDQo+Pj4gdGhlIHRlc3Qg
c2NlbmFyaW8geW91IGRlc2NyaWJlZCBpc24ndCByZXByZXNlbnRhdGl2ZSBvZiB0aGUgcmVhbA0K
Pj4+IHNjZW5hcmlvLiAgVG8gcmVwcm9kdWNlIHRoZSBwcm9ibGVtIGFzIGl0IG1hbmlmZXN0cyBp
biB5b3VyIElPIHRlc3RzLA0KPj4+IHlvdSB3aWxsIG5lZWQgdG8gYWRqdXN0IHRoZSBUR1QgbGlm
ZXRpbWUgZG93biB0byB0ZW4gbWludXRlcyBhcyB3ZWxsIGFzDQo+Pj4gdGhlIG5mcy9zZXJ2ZXIg
bGlmZXRpbWUuDQo+PiANCj4+IENvZGUgd2FzIGFkZGVkIHRvIHJwYy5nc3NkLCB0aGUgTkZTIGNs
aWVudCBhZ2VudCB0aGF0IGNyZWF0ZXMgR1NTDQo+PiBjb250ZXh0cyBmb3IgTkZTLCB0byB0YWtl
IGludG8gYWNjb3VudCB0aGUgY2xvY2sgc2tldyBhbmQgZ2V0IGEgbmV3IFRHVA0KPj4gYmVmb3Jl
IChub3crY2xvY2sgc2tldykuIFNvIGlmIHRoZSBzZXJ2aWNlIHRpY2tldCBsaWZldGltZSBpcyBl
cXVhbCB0bw0KPj4gb3IgZ3JlYXRlciB0aGFuIHRoZSBUR1QgbGlmZXRpbWUsIHRoZW4gYWxsIGlz
IHdlbGwuDQo+PiANCj4+PiANCj4+Pj4+IElmIHRoZSBUR1QgaXRzZWxmIGhhcyBleHBpcmVkIG9y
IGlzIGFib3V0IHRvIGV4cGlyZSwgc29tZQ0KPj4+Pj4gb3V0LW9mLWJhbmQgYWdlbnQgbmVlZHMg
dG8gcmVmcmVzaCB0aGUgVEdUIHNvbWVob3csIGFuZCBpdCBkb2Vzbid0DQo+Pj4+PiBtYXR0ZXIg
YWxsIHRoYXQgbXVjaCB3aGV0aGVyIHRoZSBmYWlsdXJlIGNvbWVzIGZyb20gdGhlIGNsaWVudCBv
ciB0aGUNCj4+Pj4+IHNlcnZlci4NCj4+Pj4gDQo+Pj4+IEkgdGhvdWdodCB0aGF0IGhhdmluZyBh
IGtleXRhYiBlbnRyeSBhbmQgYSByZW5ld2FibGUgVEdUIHdhcyBlbm91Z2guDQo+Pj4gDQo+Pj4g
SSdtIG5vdCBzdXJlIHdoeSB5b3Ugd291bGQgZG8gYm90aCBvZiB0aGVzZTsgaWYgeW91J3JlIGdl
dHRpbmcgaW5pdGlhbA0KPj4+IGNyZWRzIHdpdGggYSBrZXl0YWIsIHRoZXJlIGlzIG5vIG5lZWQg
dG8gbXVjayBhcm91bmQgd2l0aCB0aWNrZXQgcmVuZXdhbC4NCj4+IA0KPj4gSSB3b3VsZG7igJl0
LCBidXQgUUEgYW5kIGN1c3RvbWVycyBkby4NCj4+IA0KPj4+IA0KPj4+IEFueXdheSwgZ3NzX2lu
aXRfc2VjX2NvbnRleHQoKSBuZXZlciByZW5ld3MgdGlja2V0cywgYW5kIG9ubHkgZ2V0cw0KPj4+
IHRpY2tldHMgZnJvbSBhIGtleXRhYiB3aGVuIGEgY2xpZW50IGtleXRhYiBpcyBjb25maWd1cmVk
IChuZXcgaW4gMS4xMSkuDQo+Pj4gV2hlbiB0aWNrZXRzIGFyZSBvYnRhaW5lZCB1c2luZyBhIGNs
aWVudCBrZXl0YWIsIHRoZXkgYXJlIHJlZnJlc2hlZA0KPj4+IGZyb20gdGhlIGtleXRhYiB3aGVu
IHRoZXkgYXJlIGhhbGZ3YXkgdG8gZXhwaXJpbmcsDQo+PiANCj4+IHJlZnJlc2hlZCBieeKApj8N
Cj4gDQo+IFRoZSBHU1MgbGlicmFyeSBpdHNlbGYuDQo+IGh0dHA6Ly9rNXdpa2kua2VyYmVyb3Mu
b3JnL3dpa2kvUHJvamVjdHMvS2V5dGFiX2luaXRpYXRpb24gYW5kDQo+IGh0dHA6Ly93ZWIubWl0
LmVkdS9rZXJiZXJvcy9rcmI1LWxhdGVzdC9kb2MvYmFzaWMva2V5dGFiX2RlZi5odG1sI2RlZmF1
bHQtY2xpZW50LWtleXRhYg0KPiBnaXZlIGEgbGl0dGxlIGJpdCBvZiBpbnRybywgdGhvdWdoIHRo
aXMgZmVhdHVyZSBjb3VsZCBiZW5lZml0IGZyb20gYmV0dGVyDQo+IGRvY3VtZW50YXRpb24uDQoN
ClRoYW5rcyBmb3IgdGhlIGluZm8NCg0K4oCUPkFuZHkNCj4gDQo+IC1CZW4NCj4gDQo+Pj4gc28g
dGhpcyBjbG9jayBza2V3DQo+Pj4gaXNzdWUgc2hvdWxkIG5vdCBhcmlzZSwgc28gSSBkb24ndCB0
aGluayB0aGF0IGZlYXR1cmUgaXMgYmVpbmcgdXNlZC4NCj4+PiANCj4+PiBJdCBpcyBwb3NzaWJs
ZSB0aGF0IHRoZSBORlMgY2xpZW50IGNvZGUgaGFzIGl0cyBvd24gc2VwYXJhdGUgbG9naWMgZm9y
DQo+Pj4gb2J0YWluaW5nIG5ldyB0aWNrZXRzIHVzaW5nIGEga2V5dGFiLg0KPj4gDQo+PiBXaGVu
IGFuIE5GUyByZXF1ZXN0IHJlcXVpcmVzIGEgR1NTIGNvbnRleHQsIGlmIHRoZSBjb250ZXh0IGRv
ZXMgbm90DQo+PiBleGlzdCwgaXMgbm90IHZhbGlkLCBvciBpZiBpdCBpcyB2YWxpZCBidXQgdGhl
IHNlcnZlciByZXBsaWVzIHRvIGFuIFJQQw0KPj4gcmVxdWVzdCB1c2luZyBhIEdTUyBjb250ZXh0
IHdpdGggYW4gUlBDIGVycm9yIHRoYXQgaW5kaWNhdGVzIGl04oCZcyBzaWRlDQo+PiBvZiB0aGUg
R1NTIGNvbnRleHQgaGFzIGEgcHJvYmxlbSwgdGhlIGNsaWVudCBrZXJuZWwgZG9lcyBhbiB1cGNh
bGwgdG8NCj4+IHJwYy5nc3NkIHdoaWNoIHRoZW4gZGVjaWRlcyBpZiBhIG5ldyBzZXJ2aWNlIHRp
Y2tldCBpcyByZXF1aXJlZCB0byBzZW5kDQo+PiBhbiBSUENTRUNfR1NTX0lOSVQgbWVzc2FnZSB0
byB0aGUgc2VydmVyIHRvIGNyZWF0ZSBhIG5ldyBHU1MgY29udGV4dC4NCj4+IFRoZSByZXN1bHRh
bnQgR1NTIGNvbnRleHQgaXMgc3RvcmVkIGluIHRoZSBjbGllbnQga2VybmVsIHdpdGggYSBsaWZl
dGltZQ0KPj4gZXF1YWwgdG8gdGhlIHNlcnZpY2UgdGlja2V0IHVzZWQgdG8gY3JlYXRlIGl0Lg0K
Pj4gDQo+PiBJZiBycGMuZ3NzZCBjYWxscyB0aGUgY29kZSB0aGF0IHJlZnJlc2hlcyB0aGUgdGlj
a2V0cyBmcm9tIHRoZSBrZXl0YWINCj4+IHdoZW4gdGhleSBhcmUgaGFsZiB3YXkgdG8gZXhwaXJp
bmfigJkgdGhlbiB0aGF0IHNob3VsZCBtaXRpZ2F0ZSB0aGUgY2xvY2sNCj4+IHNrZXcgaXNzdWUu
DQo+PiANCj4+IA0KPj4+IElmIHNvLCB3ZSBuZWVkIHRvIHVuZGVyc3RhbmQgaG93DQo+Pj4gaXQg
d29ya3MuICBJdCdzIHBvc3NpYmxlICh0aG91Z2ggdW5saWtlbHkpIHRoYXQgY2hhbmdpbmcgdGhl
IGJlaGF2aW9yIG9mDQo+Pj4gZ3NzX2FjY2VwdF9zZWNfY29udGV4dCgpIHdvdWxkbid0IGJlIHN1
ZmZpY2llbnQgYnkgaXRzZWxmLg0KPj4gDQo+PiANCj4+IF9fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fDQo+PiBrcmJkZXYgbWFpbGluZyBsaXN0ICAgICAgICAg
ICAgIGtyYmRldkBtaXQuZWR1DQo+PiBodHRwczovL21haWxtYW4ubWl0LmVkdS9tYWlsbWFuL2xp
c3RpbmZvL2tyYmRldg0KDQo=

Re: Gss context refresh failure due to clock skew

[Adamson, Andy]

DQo+IE9uIE9jdCA2LCAyMDE1LCBhdCAxMDo1MyBBTSwgQW5keSBBZGFtc29uIDxhbmRyb3NAbmV0
YXBwLmNvbT4gd3JvdGU6DQo+IA0KPj4gDQo+PiBPbiBPY3QgNSwgMjAxNSwgYXQgODowMiBQTSwg
QmVuamFtaW4gS2FkdWsgPGthZHVrQE1JVC5FRFU+IHdyb3RlOg0KPj4gDQo+PiBPbiBNb24sIDUg
T2N0IDIwMTUsIEFkYW1zb24sIEFuZHkgd3JvdGU6DQo+PiANCj4+PiANCj4+Pj4gT24gT2N0IDUs
IDIwMTUsIGF0IDQ6MDIgUE0sIEdyZWcgSHVkc29uIDxnaHVkc29uQE1JVC5FRFU+IHdyb3RlOg0K
Pj4+PiANCj4+Pj4gT24gMTAvMDUvMjAxNSAwMzozNSBQTSwgQWRhbXNvbiwgQW5keSB3cm90ZToN
Cj4+Pj4+PiBJIHRoaW5rIHRoaXMgY2FzZSBkb2Vzbid0IGFyaXNlIG9mdGVuIGJlY2F1c2UgcGVv
cGxlIGRvbid0IG9mdGVuIHNldA0KPj4+Pj4+IG1heGltdW0gc2VydmljZSB0aWNrZXQgbGlmZXRp
bWVzIHRvIGJlIHNob3J0ZXIgdGhhbiBtYXhpbXVtIFRHVA0KPj4+Pj4+IGxpZmV0aW1lcy4NCj4+
Pj4+IA0KPj4+Pj4gTm90IHRoZSBjYXVzZSBvZiB0aGUgaXNzdWUuIFRoZSBzZXJ2aWNlIHRpY2tl
dCBsaWZldGltZSBvZiAxMCBtaW51dGVzIGlzIGp1c3QgdGhlcmUgZm9yIHRlc3RpbmcgdGhpcyBp
c3N1ZSBhcyBJIG5lZWRlZCB0byB3YWl0IHVudGlsIHRoZSBzZXJ2aWNlIHRpY2tldCBoYWQg4oCY
ZXhwaXJlZOKAmSBvbiB0aGUgc2VydmVyIC0gYnV0IG5vdCB5ZXQgb24gdGhlIGNsaWVudC4NCj4+
Pj4+IA0KPj4+Pj4gV2Ugc2VlIHRoaXMgaXNzdWUgYWxsIHRoZSB0aW1lIGluIE5ldEFwcCBRQSBh
cyB3ZSBydW4gbXV0aXBsZSBkYXkgaGVhdnkgSU8gdGVzdHMgYWdhaW5zdCBhIGtlcmJlcm9zIG1v
dW50LiBJZiB0aGUgc2VydmVyIGNsb2NrIGlzIGFoZWFkIG9mIHRoZSBjbGllbnQgY2xvY2ssIHBl
cm1pc3Npb24gZGVuaWVkIGVycm9ycyBzdG9wIHRoZSB0ZXN0IGFzIHRoZSBmaXJzdCBzZXJ2aWNl
IHRpY2tldCDigJxleHBpcmVz4oCdIG9uIHRoZSBzZXJ2ZXIgYnV0IG5vdCBvbiB0aGUgY2xpZW50
Lg0KPj4+PiANCj4+Pj4gSWYgdGhlIGlzc3VlIGlzIG5vdCBjYXVzZWQgYnkgc2hvcnQtbGlmZXRp
bWUgc2VydmljZSBwcmluY2lwYWxzLA0KPj4+IA0KPj4+IEkgd2FzIHdyb25nIC0geW91IGFyZSBy
aWdodCwgaXQgaXMgY2F1c2VkIGJ5IHNlcnZpY2UgdGlja2V0IGxpZmV0aW1lcyBiZWluZyBzaG9y
dGVyIHRoYW4gVEdUIGxpZmV0aW1lcy4NCg0KDQpBY3R1YWxseSwgc2V0dGluZyB0aGUgc2Vydmlj
ZSB0aWNrZXQgbGlmZXRpbWUgdG8gYmUgZXF1YWwgdG8gKG9yIGdyZWF0ZXIgdGhhbiBpZiB0aGlz
IGlzIHBvc3NpYmxlKSB0aGUgVEdUIGxpZmV0aW1lIHdpbGwgbm90IGhlbHAuIEp1c3QgYXMgaW4g
dGhlIGV4YW1wbGUgSSBzZW50LCB0aGUgYXBwbGljYXRpb24gd2lsbCBnZXQgcGVybWlzc2lvbiBk
ZW5pZWQgZHVyaW5nIHRoZSB0aW1lIGRpZmZlcmVuY2UgYmV0d2VlbiB0aGUgY2xpZW50IGFuZCBz
ZXJ2ZXIgY2xvY2suDQoNClNheSB0aGUgc2VydmVyIGNsb2NrIGlzIGFoZWFkIG9mIHRoZSBjbGll
bnQgY2xvY2sgYnkgWCBzZWNvbmRzIGFuZCB0aGF0IHRoZSBzZXJ2aWNlIHRpY2tldCBvbiB0aGUg
Y2xpZW50IGhhcyBYIHNlY29uZHMgb2YgbGlmZXRpbWUgbGVmdCBiZWZvcmUgaXMgZXhwaXJlcyBv
biB0aGUgY2xpZW50IC0gd2hpY2ggbWVhbnMgaXQgaGFzIGFscmVhZHkgZXhwaXJlZCBvbiB0aGUg
c2VydmVyLiBUaGUgY2xpZW50IHNlbmRzIGFuIE5GUyByZXF1ZXN0IHdoaWNoIHdpbGwgYmUgcmVq
ZWN0ZWQgYnkgdGhlIHNlcnZlciB3aXRoIGEgYmFkIGNvbnRleHQgUlBDIGxldmVsIEFVVEhfRVJS
T1IgYXMgdGhlIEdTUyBDb250ZXh0IG9uIHRoZSBzZXJ2ZXIgd2lsbCBoYXZlIGV4cGlyZWQgKGNv
bnRleHQgbGlmZXRpbWUgPT0gc2VydmljZSB0aWNrZXQgbGlmZXRpbWUpLiBUaGUgc2VydmVyIHJl
cGx5IHByb21wdHMgdGhlIGNsaWVudCBkbyBhbiB1cGNhbGwgdG8gZ3NzZCB0byByZWZyZXNoIHRo
ZSBHU1MgY29udGV4dC4gZ3NzZCBzZW5kcyBhbiBSUENTRUNfR1NTX0lOSVQgbWVzc2FnZSB1c2lu
ZyB0aGUgc2VydmljZSB0aWNrZXQgKGFzIGl0IHN0aWxsIGhhcyBYIHNlY29uZHMgb2YgdmFsaWQg
bGlmZXRpbWUpLCBhbmQgdGhlIHNlcnZlciB3aWxsIHJlamVjdCB0aGUgUlBDU0VDX0dTU19JTklU
IHJlcXVlc3Qgd2l0aCBHU1NfU19DUkVERU5USUFMU19FWFBJUkVELg0KDQrigJQ+QW5keQ0KDQoN
Cg0KPj4+IA0KPj4+IEkgZGlkbuKAmXQga25vdyBzZXR0aW5nIHRoZSBzZXJ2aWNlIHRpY2tldCBs
aWZldGltZXMgdG8gbm90IGJlIGxlc3MgdGhhbg0KPj4+IFRHVCBsaWZldGltZXMgd2FzIGEgcmVx
dWlyZW1lbnQuIE5laXRoZXIgZG9lcyBOZXRBcHAgUUEgYW5kIEkgc3VzcGVjdCwNCj4+PiBuZWl0
aGVyIGRvIGN1c3RvbWVycyBpbiBnZW5lcmFsLg0KPj4gDQo+PiBJdCdzIG5vdCBhIHJlcXVpcmVt
ZW50LiAgKEdyZWcgZXhwbGljaXRseSBzYWlkICJUaGF0IHNhaWQsIHlvdXIgc2NlbmFyaW8NCj4+
IHNob3VsZCB3b3JrLCBhbmQgaXQgZG9lc24ndC4iIGluIGhpcyBmaXJzdCBtZXNzYWdlLikNCj4g
DQo+IEhpIEJlbg0KPiANCj4gT0suICBUaGlzIGRvZXMgbWVhbiB0aGF0IHVudGlsIHRoaXMgZ2V0
cyBhZGRyZXNzZWQsIHdlIHdpbGwgbmVlZCB0byBwb2ludCB0aGlzIG91dCB0byBhZG1pbmlzdHJh
dG9ycy4NCj4gDQo+PiANCj4+Pj4gdGhlbg0KPj4+PiB0aGUgdGVzdCBzY2VuYXJpbyB5b3UgZGVz
Y3JpYmVkIGlzbid0IHJlcHJlc2VudGF0aXZlIG9mIHRoZSByZWFsDQo+Pj4+IHNjZW5hcmlvLiAg
VG8gcmVwcm9kdWNlIHRoZSBwcm9ibGVtIGFzIGl0IG1hbmlmZXN0cyBpbiB5b3VyIElPIHRlc3Rz
LA0KPj4+PiB5b3Ugd2lsbCBuZWVkIHRvIGFkanVzdCB0aGUgVEdUIGxpZmV0aW1lIGRvd24gdG8g
dGVuIG1pbnV0ZXMgYXMgd2VsbCBhcw0KPj4+PiB0aGUgbmZzL3NlcnZlciBsaWZldGltZS4NCj4+
PiANCj4+PiBDb2RlIHdhcyBhZGRlZCB0byBycGMuZ3NzZCwgdGhlIE5GUyBjbGllbnQgYWdlbnQg
dGhhdCBjcmVhdGVzIEdTUw0KPj4+IGNvbnRleHRzIGZvciBORlMsIHRvIHRha2UgaW50byBhY2Nv
dW50IHRoZSBjbG9jayBza2V3IGFuZCBnZXQgYSBuZXcgVEdUDQo+Pj4gYmVmb3JlIChub3crY2xv
Y2sgc2tldykuIFNvIGlmIHRoZSBzZXJ2aWNlIHRpY2tldCBsaWZldGltZSBpcyBlcXVhbCB0bw0K
Pj4+IG9yIGdyZWF0ZXIgdGhhbiB0aGUgVEdUIGxpZmV0aW1lLCB0aGVuIGFsbCBpcyB3ZWxsLg0K
Pj4+IA0KPj4+PiANCj4+Pj4+PiBJZiB0aGUgVEdUIGl0c2VsZiBoYXMgZXhwaXJlZCBvciBpcyBh
Ym91dCB0byBleHBpcmUsIHNvbWUNCj4+Pj4+PiBvdXQtb2YtYmFuZCBhZ2VudCBuZWVkcyB0byBy
ZWZyZXNoIHRoZSBUR1Qgc29tZWhvdywgYW5kIGl0IGRvZXNuJ3QNCj4+Pj4+PiBtYXR0ZXIgYWxs
IHRoYXQgbXVjaCB3aGV0aGVyIHRoZSBmYWlsdXJlIGNvbWVzIGZyb20gdGhlIGNsaWVudCBvciB0
aGUNCj4+Pj4+PiBzZXJ2ZXIuDQo+Pj4+PiANCj4+Pj4+IEkgdGhvdWdodCB0aGF0IGhhdmluZyBh
IGtleXRhYiBlbnRyeSBhbmQgYSByZW5ld2FibGUgVEdUIHdhcyBlbm91Z2guDQo+Pj4+IA0KPj4+
PiBJJ20gbm90IHN1cmUgd2h5IHlvdSB3b3VsZCBkbyBib3RoIG9mIHRoZXNlOyBpZiB5b3UncmUg
Z2V0dGluZyBpbml0aWFsDQo+Pj4+IGNyZWRzIHdpdGggYSBrZXl0YWIsIHRoZXJlIGlzIG5vIG5l
ZWQgdG8gbXVjayBhcm91bmQgd2l0aCB0aWNrZXQgcmVuZXdhbC4NCj4+PiANCj4+PiBJIHdvdWxk
buKAmXQsIGJ1dCBRQSBhbmQgY3VzdG9tZXJzIGRvLg0KPj4+IA0KPj4+PiANCj4+Pj4gQW55d2F5
LCBnc3NfaW5pdF9zZWNfY29udGV4dCgpIG5ldmVyIHJlbmV3cyB0aWNrZXRzLCBhbmQgb25seSBn
ZXRzDQo+Pj4+IHRpY2tldHMgZnJvbSBhIGtleXRhYiB3aGVuIGEgY2xpZW50IGtleXRhYiBpcyBj
b25maWd1cmVkIChuZXcgaW4gMS4xMSkuDQo+Pj4+IFdoZW4gdGlja2V0cyBhcmUgb2J0YWluZWQg
dXNpbmcgYSBjbGllbnQga2V5dGFiLCB0aGV5IGFyZSByZWZyZXNoZWQNCj4+Pj4gZnJvbSB0aGUg
a2V5dGFiIHdoZW4gdGhleSBhcmUgaGFsZndheSB0byBleHBpcmluZywNCj4+PiANCj4+PiByZWZy
ZXNoZWQgYnnigKY/DQo+PiANCj4+IFRoZSBHU1MgbGlicmFyeSBpdHNlbGYuDQo+PiBodHRwOi8v
azV3aWtpLmtlcmJlcm9zLm9yZy93aWtpL1Byb2plY3RzL0tleXRhYl9pbml0aWF0aW9uIGFuZA0K
Pj4gaHR0cDovL3dlYi5taXQuZWR1L2tlcmJlcm9zL2tyYjUtbGF0ZXN0L2RvYy9iYXNpYy9rZXl0
YWJfZGVmLmh0bWwjZGVmYXVsdC1jbGllbnQta2V5dGFiDQo+PiBnaXZlIGEgbGl0dGxlIGJpdCBv
ZiBpbnRybywgdGhvdWdoIHRoaXMgZmVhdHVyZSBjb3VsZCBiZW5lZml0IGZyb20gYmV0dGVyDQo+
PiBkb2N1bWVudGF0aW9uLg0KPiANCj4gVGhhbmtzIGZvciB0aGUgaW5mbw0KPiANCj4g4oCUPkFu
ZHkNCj4+IA0KPj4gLUJlbg0KPj4gDQo+Pj4+IHNvIHRoaXMgY2xvY2sgc2tldw0KPj4+PiBpc3N1
ZSBzaG91bGQgbm90IGFyaXNlLCBzbyBJIGRvbid0IHRoaW5rIHRoYXQgZmVhdHVyZSBpcyBiZWlu
ZyB1c2VkLg0KPj4+PiANCj4+Pj4gSXQgaXMgcG9zc2libGUgdGhhdCB0aGUgTkZTIGNsaWVudCBj
b2RlIGhhcyBpdHMgb3duIHNlcGFyYXRlIGxvZ2ljIGZvcg0KPj4+PiBvYnRhaW5pbmcgbmV3IHRp
Y2tldHMgdXNpbmcgYSBrZXl0YWIuDQo+Pj4gDQo+Pj4gV2hlbiBhbiBORlMgcmVxdWVzdCByZXF1
aXJlcyBhIEdTUyBjb250ZXh0LCBpZiB0aGUgY29udGV4dCBkb2VzIG5vdA0KPj4+IGV4aXN0LCBp
cyBub3QgdmFsaWQsIG9yIGlmIGl0IGlzIHZhbGlkIGJ1dCB0aGUgc2VydmVyIHJlcGxpZXMgdG8g
YW4gUlBDDQo+Pj4gcmVxdWVzdCB1c2luZyBhIEdTUyBjb250ZXh0IHdpdGggYW4gUlBDIGVycm9y
IHRoYXQgaW5kaWNhdGVzIGl04oCZcyBzaWRlDQo+Pj4gb2YgdGhlIEdTUyBjb250ZXh0IGhhcyBh
IHByb2JsZW0sIHRoZSBjbGllbnQga2VybmVsIGRvZXMgYW4gdXBjYWxsIHRvDQo+Pj4gcnBjLmdz
c2Qgd2hpY2ggdGhlbiBkZWNpZGVzIGlmIGEgbmV3IHNlcnZpY2UgdGlja2V0IGlzIHJlcXVpcmVk
IHRvIHNlbmQNCj4+PiBhbiBSUENTRUNfR1NTX0lOSVQgbWVzc2FnZSB0byB0aGUgc2VydmVyIHRv
IGNyZWF0ZSBhIG5ldyBHU1MgY29udGV4dC4NCj4+PiBUaGUgcmVzdWx0YW50IEdTUyBjb250ZXh0
IGlzIHN0b3JlZCBpbiB0aGUgY2xpZW50IGtlcm5lbCB3aXRoIGEgbGlmZXRpbWUNCj4+PiBlcXVh
bCB0byB0aGUgc2VydmljZSB0aWNrZXQgdXNlZCB0byBjcmVhdGUgaXQuDQo+Pj4gDQo+Pj4gSWYg
cnBjLmdzc2QgY2FsbHMgdGhlIGNvZGUgdGhhdCByZWZyZXNoZXMgdGhlIHRpY2tldHMgZnJvbSB0
aGUga2V5dGFiDQo+Pj4gd2hlbiB0aGV5IGFyZSBoYWxmIHdheSB0byBleHBpcmluZ+KAmSB0aGVu
IHRoYXQgc2hvdWxkIG1pdGlnYXRlIHRoZSBjbG9jaw0KPj4+IHNrZXcgaXNzdWUuDQo+Pj4gDQo+
Pj4gDQo+Pj4+IElmIHNvLCB3ZSBuZWVkIHRvIHVuZGVyc3RhbmQgaG93DQo+Pj4+IGl0IHdvcmtz
LiAgSXQncyBwb3NzaWJsZSAodGhvdWdoIHVubGlrZWx5KSB0aGF0IGNoYW5naW5nIHRoZSBiZWhh
dmlvciBvZg0KPj4+PiBnc3NfYWNjZXB0X3NlY19jb250ZXh0KCkgd291bGRuJ3QgYmUgc3VmZmlj
aWVudCBieSBpdHNlbGYuDQo+Pj4gDQo+Pj4gDQo+Pj4gX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX18NCj4+PiBrcmJkZXYgbWFpbGluZyBsaXN0ICAgICAgICAg
ICAgIGtyYmRldkBtaXQuZWR1DQo+Pj4gaHR0cHM6Ly9tYWlsbWFuLm1pdC5lZHUvbWFpbG1hbi9s
aXN0aW5mby9rcmJkZXYNCg0K

Re: Gss context refresh failure due to clock skew

[Greg Hudson]

On 10/07/2015 09:22 AM, Adamson, Andy wrote:
> Actually, setting the service ticket lifetime to be equal to (or greater than if this is possible) the TGT lifetime will not help. Just as in the example I sent, the application will get permission denied during the time difference between the client and server clock.

That is expected.  What is not expected, in this variant, is that
gss_init_sec_context() will succeed by itself once the client believes
the TGT and service ticket to have expired.  Apologies for any
miscommunication on this point.

There may be something in the calling code which refreshes the TGT in
this situation.  If so, then to fully understand the scenario, we need
to know how the calling code decides when to refresh the TGT.

I opened a ticket about this issue here:

    http://krbdev.mit.edu/rt/Ticket/Display.html?id=8268

Re: Gss context refresh failure due to clock skew

[Adamson, Andy]

DQo+IE9uIE9jdCA3LCAyMDE1LCBhdCAxMDo0NSBBTSwgR3JlZyBIdWRzb24gPGdodWRzb25ATUlU
LkVEVT4gd3JvdGU6DQo+IA0KPiBPbiAxMC8wNy8yMDE1IDA5OjIyIEFNLCBBZGFtc29uLCBBbmR5
IHdyb3RlOg0KPj4gQWN0dWFsbHksIHNldHRpbmcgdGhlIHNlcnZpY2UgdGlja2V0IGxpZmV0aW1l
IHRvIGJlIGVxdWFsIHRvIChvciBncmVhdGVyIHRoYW4gaWYgdGhpcyBpcyBwb3NzaWJsZSkgdGhl
IFRHVCBsaWZldGltZSB3aWxsIG5vdCBoZWxwLiBKdXN0IGFzIGluIHRoZSBleGFtcGxlIEkgc2Vu
dCwgdGhlIGFwcGxpY2F0aW9uIHdpbGwgZ2V0IHBlcm1pc3Npb24gZGVuaWVkIGR1cmluZyB0aGUg
dGltZSBkaWZmZXJlbmNlIGJldHdlZW4gdGhlIGNsaWVudCBhbmQgc2VydmVyIGNsb2NrLg0KPiAN
Cj4gVGhhdCBpcyBleHBlY3RlZC4gIFdoYXQgaXMgbm90IGV4cGVjdGVkLCBpbiB0aGlzIHZhcmlh
bnQsIGlzIHRoYXQNCj4gZ3NzX2luaXRfc2VjX2NvbnRleHQoKSB3aWxsIHN1Y2NlZWQgYnkgaXRz
ZWxmIG9uY2UgdGhlIGNsaWVudCBiZWxpZXZlcw0KPiB0aGUgVEdUIGFuZCBzZXJ2aWNlIHRpY2tl
dCB0byBoYXZlIGV4cGlyZWQuICBBcG9sb2dpZXMgZm9yIGFueQ0KPiBtaXNjb21tdW5pY2F0aW9u
IG9uIHRoaXMgcG9pbnQuDQo+IA0KPiBUaGVyZSBtYXkgYmUgc29tZXRoaW5nIGluIHRoZSBjYWxs
aW5nIGNvZGUgd2hpY2ggcmVmcmVzaGVzIHRoZSBUR1QgaW4NCj4gdGhpcyBzaXR1YXRpb24uICBJ
ZiBzbywgdGhlbiB0byBmdWxseSB1bmRlcnN0YW5kIHRoZSBzY2VuYXJpbywgd2UgbmVlZA0KPiB0
byBrbm93IGhvdyB0aGUgY2FsbGluZyBjb2RlIGRlY2lkZXMgd2hlbiB0byByZWZyZXNoIHRoZSBU
R1QuDQo+IA0KPiBJIG9wZW5lZCBhIHRpY2tldCBhYm91dCB0aGlzIGlzc3VlIGhlcmU6DQo+IA0K
PiAgICBodHRwOi8va3JiZGV2Lm1pdC5lZHUvcnQvVGlja2V0L0Rpc3BsYXkuaHRtbD9pZD04MjY4
DQoNCuKAlOKAlCBmcm9tIHRoZSB0aWNrZXQ6IOKAlOKAlCANCg0KVGhpcyB1bm5lY2Vzc2FyaWx5
IHN0cmljdCBjaGVjayBjYXVzZXMgYSBwYXJ0aWN1bGFybHkgYmFkIGV4cGVyaWVuY2UNCndoZW4g
KGEpIHRoZSBjbGllbnQncyBjbG9jayBpcyBzbGlnaHRseSBhaGVhZCBvZiB0aGUgc2VydmVyJ3Mg
Y2xvY2ssDQphbmQgKGIpIHRoZSBtYXhpbXVtIHNlcnZpY2UgdGlja2V0IGxpZmV0aW1lIGlzIGxv
d2VyIHRoYW4gdGhlIG1heGltdW0NClRHVCBsaWZldGltZS4gDQoNCuKAlOKAlCDigJTigJQgDQpJ
IHRoaW5rIGJvdGggYSkgYW5kIGIpIGFyZSBpbmNvcnJlY3QuDQoNCmZvciBhKSB5b3UgZ290IGl0
IGJhY2t3YXJkcy4gdGhpcyBvY2N1cnMgd2hlbiB0aGUgc2VydmVyIGNsb2NrIGlzIGFoZWFkIG9m
IHRoZSBjbGllbnQgY2xvY2suDQoNCmZvciBiKSB0aGUgcmVsYXRpb25zaGlwIGJldHdlZW4gdGhl
IFRHVCBsaWZldGltZSBhbmQgdGhlIHNlcnZpY2UgdGlja2V0IGxpZmV0aW1lIGlzIGlycmVsZXZh
bnQuIE9ubHkgdGhlIHNlcnZpY2UgdGlja2V0IGxpZmV0aW1lIGhhcyBhbnkgZWZmZWN0IGFzIHRo
ZSBjbGllbnQgd2lsbCB1c2UgYSB2YWxpZCBzZXJ2aWNlIHRpY2tldCB0byBjb25zdHJ1Y3QgYW4g
UlBDU0VDX0dTU19JTklUIHJlcXVlc3QgaXJyZWdhcmRsZXNzIG9mIHRoZSBUR1QgbGlmZXRpbWUg
dmFsdWUuDQoNCg0KSGVyZSBpcyBob3cgSSB3b3VsZCBkZXNjcmliZSBpdDoNCg0KQ2hhbmdlIHRo
aXM6DQoNClRoaXMgdW5uZWNlc3NhcmlseSBzdHJpY3QgY2hlY2sgY2F1c2VzIGEgcGFydGljdWxh
cmx5IGJhZCBleHBlcmllbmNlDQp3aGVuIChhKSB0aGUgY2xpZW50J3MgY2xvY2sgaXMgc2xpZ2h0
bHkgYWhlYWQgb2YgdGhlIHNlcnZlcidzIGNsb2NrLA0KYW5kIChiKSB0aGUgbWF4aW11bSBzZXJ2
aWNlIHRpY2tldCBsaWZldGltZSBpcyBsb3dlciB0aGFuIHRoZSBtYXhpbXVtDQpUR1QgbGlmZXRp
bWUuICBJbiB0aGF0IGNpcmN1bXN0YW5jZSwgdGhlIGNsaWVudCB3aWxsIGFjcXVpcmUgYSBuZXcN
CnNlcnZpY2UgdGlja2V0IHVzaW5nIHRoZSBUR1QgaWYgdGhlIGNsaWVudCBzZWVzIHRoZSBjcmVk
ZW50aWFsIGFzDQpleHBpcmVkLCBidXQgdGhlIGFwcGxpY2F0aW9uIHdpbGwgZXhwZXJpZW5jZSBh
biBhdXRoZW50aWNhdGlvbg0KZmFpbHVyZSBpZiBvbmx5IHRoZSBzZXJ2ZXIgc2VlcyB0aGUgY3Jl
ZGVudGlhbCBhcyBleHBpcmVkLg0KDQoNCnRvIHRoaXMNCg0KVGhpcyB1bm5lY2Vzc2FyaWx5IHN0
cmljdCBjaGVjayBjYXVzZXMgYSBwYXJ0aWN1bGFybHkgYmFkIGV4cGVyaWVuY2UNCndoZW4gdGhl
IHNlcnZlcidzIGNsb2NrIGlzIHNsaWdodGx5IGFoZWFkIG9mIHRoZSBjbGllbnRzIGNsb2NrLg0K
SW4gdGhhdCBjaXJjdW1zdGFuY2UsIHRoZSBjbGllbnQgd2lsbCB1c2UgdGhlIGFsbW9zdCBleHBp
cmVkIHNlcnZpY2UgDQp0aWNrZXQgaW4gY29uc3RydWN0aW5nIHRoZSBnc3NfaW5pdF9zZWNfY29u
dGV4dCBjYWxsIGFuZCBub3QgYWNxdWlyZSANCmEgbmV3IHNlcnZpY2UgdGlja2V0IHVzaW5nIHRo
ZSBUR1QuIFRoZSBhcHBsaWNhdGlvbiB3aWxsIGV4cGVyaWVuY2UgDQphbiBhdXRoZW50aWNhdGlv
biBmYWlsdXJlIGFzIHRoZSBzZXJ2ZXIgY2FsbGluZyBnc3NfYWNjZXB0X3NlY19jb250ZXh0DQpz
ZWVzIHRoZSBjcmVkZW50aWFsIGFzIGV4cGlyZWQuDQoNCg0KDQo=

Re: Gss context refresh failure due to clock skew

[Greg Hudson]

On 10/07/2015 11:00 AM, Adamson, Andy wrote:
> —— from the ticket: —— 
> 
> This unnecessarily strict check causes a particularly bad experience
> when (a) the client's clock is slightly ahead of the server's clock,
> and (b) the maximum service ticket lifetime is lower than the maximum
> TGT lifetime. 
> 
> —— —— 
> I think both a) and b) are incorrect.
> 
> for a) you got it backwards. this occurs when the server clock is ahead of the client clock.

Yes, I did write the wrong thing there; I will follow up on that.

> for b) the relationship between the TGT lifetime and the service ticket lifetime is irrelevant. Only the service ticket lifetime has any effect as the client will use a valid service ticket to construct an RPCSEC_GSS_INIT request irregardless of the TGT lifetime value.

I will try one more time to communicate what I mean:

* If the service ticket end time is less than the TGT end time, then
gss_init_sec_context() fails during the clock skew window, and starts
succeeding again afterwards.

* If the service ticket and TGT have both expired (according to the
server), then gss_init_sec_context() fails, and keeps failing
afterwards, unless there is some out-of-band agent refreshing expired TGTs.

Put another way: we expect authentications to start failing around the
time the TGT expires.  We do not expect authentications to start failing
around the time a service ticket expires, if the TGT is still valid.
That is what I refer to as a "particularly" bad experience.

If that isn't clear, perhaps we should ignore this as a moot point; it
doesn't really affect how we plan to change the krb5 code.

Re: Gss context refresh failure due to clock skew

[Olga Kornievskaia]

On Wed, Oct 7, 2015 at 11:08 AM, Greg Hudson <ghudson@mit.edu> wrote:
> On 10/07/2015 11:00 AM, Adamson, Andy wrote:
>> —— from the ticket: ——
>>
>> This unnecessarily strict check causes a particularly bad experience
>> when (a) the client's clock is slightly ahead of the server's clock,
>> and (b) the maximum service ticket lifetime is lower than the maximum
>> TGT lifetime.
>>
>> —— ——
>> I think both a) and b) are incorrect.
>>
>> for a) you got it backwards. this occurs when the server clock is ahead of the client clock.
>
> Yes, I did write the wrong thing there; I will follow up on that.
>
>> for b) the relationship between the TGT lifetime and the service ticket lifetime is irrelevant. Only the service ticket lifetime has any effect as the client will use a valid service ticket to construct an RPCSEC_GSS_INIT request irregardless of the TGT lifetime value.
>
> I will try one more time to communicate what I mean:
>
> * If the service ticket end time is less than the TGT end time, then
> gss_init_sec_context() fails during the clock skew window, and starts
> succeeding again afterwards.
>
> * If the service ticket and TGT have both expired (according to the
> server), then gss_init_sec_context() fails, and keeps failing
> afterwards, unless there is some out-of-band agent refreshing expired TGTs.
>
> Put another way: we expect authentications to start failing around the
> time the TGT expires.  We do not expect authentications to start failing
> around the time a service ticket expires, if the TGT is still valid.

Why not? This is not what should happen according to the theory of
Kerberos protocol. Let's use slightly generic terms, TGT is a
credential that proves client's identity to the KDC. TGT or it's
lifetime has no relevance in the context of authentication between the
client and a kerberized service, in this case an NFS server. Then a
service ticket is a credential that is used to prove client's identity
to the NFS server. The lifetime of the NFS service ticket should be
allowed to be valid within some configurable clock skew.

> That is what I refer to as a "particularly" bad experience.
>
> If that isn't clear, perhaps we should ignore this as a moot point; it
> doesn't really affect how we plan to change the krb5 code.
> _______________________________________________
> krbdev mailing list             krbdev@mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev