From: Andreas Schneider <asn@samba.org>
Date: Wed, 19 Nov 2025 13:42:24 +0000 (+0100)
Subject: s3:libads: Set a request timeout for Kerberos requests
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=92601536ba0490bdfb5dd632fff2e5c0b541620c;p=thirdparty%2Fsamba.git

s3:libads: Set a request timeout for Kerberos requests

Without this, libkrb5 can wait indefinitely after creating a TCP
connection. This means winbind is stuck forever till it is restarted.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15955

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
---

diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index d8325201b2f..f683ed19d23 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -1380,6 +1380,15 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
 	char *enctypes = NULL;
 	const char *include_system_krb5 = "";
 	mode_t mask;
+	/*
+	 * The default will be 15 seconds, it can be changed in the smb.conf:
+	 * [global]
+	 *   krb5:request_timeout = 30
+	 */
+	int timeout_sec = lp_parm_int(-1,
+				      "krb5",
+				      "request_timeout",
+				      15 /* default */);
 
 	if (!lp_create_krb5_conf()) {
 		return false;
@@ -1449,6 +1458,11 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
 	file_contents =
 	    talloc_asprintf(fname,
 			    "[libdefaults]\n"
+#ifdef SAMBA4_USES_HEIMDAL
+			    "\tkdc_timeout = %d\n"
+#else
+			    "\trequest_timeout = %ds\n"
+#endif
 			    "\tdefault_realm = %s\n"
 			    "%s"
 			    "\tdns_lookup_realm = false\n"
@@ -1458,6 +1472,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
 			    "\t%s = {\n"
 			    "%s\t}\n"
 			    "%s\n",
+			    timeout_sec,
 			    realm_upper,
 			    enctypes,
 			    realm_upper,