s3:libads: move ads->auth.time_offset to ads->config.time_offset

There's no reason to pass the LDAP servers time to the kerberos
libraries, as we may talk to a KDC different than the LDAP server!

Also Heimdal handles AS-REQ with KRB5KRB_AP_ERR_SKEW fine and
retries with the time from the krb-error.
MIT records the time from the KDC_ERR_PREAUTH_REQUIRED response
in order to use the KDCs time.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

diff --git a/source3/libads/kerberos_util.c b/source3/libads/kerberos_util.c
index 7fca56d3741218997e4cca3e0bea84e606f7be3a..0e98c3acca6789e953530f8e3a3b682fa7111a7b 100644 (file)
--- a/source3/libads/kerberos_util.c
+++ b/source3/libads/kerberos_util.c
@@ -63,7 +63,7 @@ int ads_kinit_password(ADS_STRUCT *ads)
        }
 
        ret = kerberos_kinit_password_ext(s, ads->auth.password,
-                                         ads->auth.time_offset,
+                                         0,
                                          NULL, NULL,
                                          ads->auth.ccache_name, false, false,
                                          0,

diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index 5e3c96fb8d8fd4ac273e9524bb384ed1f5e5fda3..bb219baec804dc4d383e1c6c48ddae60fb46b57c 100644 (file)
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -3701,10 +3701,16 @@ ADS_STATUS ads_current_time(ADS_STRUCT *ads)
        ads->config.current_time = ads_parse_time(timestr);
 
        if (ads->config.current_time != 0) {
-               ads->auth.time_offset = ads->config.current_time - time(NULL);
-               DEBUG(4,("KDC time offset is %d seconds\n", ads->auth.time_offset));
+               ads->config.time_offset = ads->config.current_time - time(NULL);
+               DBG_INFO("server time offset is %d seconds\n",
+                        ads->config.time_offset);
+       } else {
+               ads->config.time_offset = 0;
        }
 
+       DBG_INFO("server time offset is %d seconds\n",
+                ads->config.time_offset);
+
        ads_msgfree(ads, res);
 
        status = ADS_SUCCESS;

diff --git a/source3/libads/util.c b/source3/libads/util.c
index a1e33fd3b33dbb073a57c0a646850361b59c4f29..4bb97f817998e523bfdca2314a5705d58677a667 100644 (file)
--- a/source3/libads/util.c
+++ b/source3/libads/util.c
@@ -110,7 +110,7 @@ ADS_STATUS ads_change_trust_account_password(ADS_STRUCT *ads, char *host_princip
        talloc_keep_secret(new_pw_blob.data);
        new_password = (const char *)new_pw_blob.data;
 
-       ret = kerberos_set_password(ads->auth.kdc_server, host_principal, password, host_principal, new_password, ads->auth.time_offset);
+       ret = kerberos_set_password(ads->auth.kdc_server, host_principal, password, host_principal, new_password, 0);
 
        if (!ADS_ERR_OK(ret)) {
                status = ads_ntstatus(ret);

diff --git a/source3/librpc/idl/ads.idl b/source3/librpc/idl/ads.idl
index ded3c738d6df249617245843780447c33abb7d87..49fafb37abf9e818c1b9cd1a4a69c45ea6b2e435 100644 (file)
--- a/source3/librpc/idl/ads.idl
+++ b/source3/librpc/idl/ads.idl
@@ -52,7 +52,6 @@ interface ads
                string user_name;
                string kdc_server;
                ads_auth_flags flags;
-               int time_offset;
                string ccache_name;
                NTTIME expire_time;
        } ads_auth;
@@ -66,6 +65,7 @@ interface ads
                string server_site_name;
                string client_site_name;
                time_t current_time;
+               int time_offset;
                string schema_path;
                string config_path;
                int ldap_page_size;

diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index df8517d17445f734ff33698ac26d3708ed20f4d1..4350e5e9b41e3069c00a8a88bf9806a671ce0c25 100644 (file)
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -553,7 +553,7 @@ static int net_ads_info_json(ADS_STRUCT *ads)
        }
 
        ret = json_add_int (&jsobj, "Server time offset",
-                           ads->auth.time_offset);
+                           ads->config.time_offset);
        if (ret != 0) {
                goto failure;
        }
@@ -641,7 +641,7 @@ static int net_ads_info(struct net_context *c, int argc, const char **argv)
                         http_timestring(tmp_ctx, ads->config.current_time));
 
        d_printf(_("KDC server: %s\n"), ads->auth.kdc_server );
-       d_printf(_("Server time offset: %d\n"), ads->auth.time_offset );
+       d_printf(_("Server time offset: %d\n"), ads->config.time_offset );
 
        d_printf(_("Last machine account password change: %s\n"),
                 http_timestring(tmp_ctx, pass_time));
@@ -1023,8 +1023,7 @@ static int ads_user_add(struct net_context *c, int argc, const char **argv)
                goto done;
        }
 
-       status = ads_krb5_set_password(ads->auth.kdc_server, upn, argv[1],
-                                      ads->auth.time_offset);
+       status = ads_krb5_set_password(ads->auth.kdc_server, upn, argv[1], 0);
        if (ADS_ERR_OK(status)) {
                d_printf(_("User %s added\n"), argv[0]);
                rc = 0;
@@ -2691,7 +2690,7 @@ static int net_ads_password(struct net_context *c, int argc, const char **argv)
                                       auth_password,
                                       user,
                                       new_password,
-                                      ads->auth.time_offset);
+                                      0);
        memset(new_password, '\0', strlen(new_password));
        if (!ADS_ERR_OK(status)) {
                d_fprintf(stderr, _("Password change failed: %s\n"),

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 9764c874f77627a714ca3f370da7eea82d3333e6..e12972aa56de6bb99f090bd6d8b64154ddbc11ad 100644 (file)
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -747,7 +747,6 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
        char *name_user = NULL;
        time_t ticket_lifetime = 0;
        time_t renewal_until = 0;
-       time_t time_offset = 0;
        const char *user_ccache_file;
        struct PAC_LOGON_INFO *logon_info = NULL;
        struct PAC_UPN_DNS_INFO *upn_dns_info = NULL;
@@ -789,10 +788,6 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
        /* 2nd step:
         * get kerberos properties */
 
-       if (domain->backend_data.ads_conn != NULL) {
-               time_offset = domain->backend_data.ads_conn->auth.time_offset;
-       }
-
 
        /* 3rd step:
         * do kerberos auth and setup ccache as the user */
@@ -858,7 +853,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
        result = kerberos_return_pac(mem_ctx,
                                     principal_s,
                                     pass,
-                                    time_offset,
+                                    0, /* time_offset */
                                     &ticket_lifetime,
                                     &renewal_until,
                                     cc,