From: Stefan Metzmacher Date: Tue, 27 Feb 2024 12:49:08 +0000 (+0100) Subject: s3:libads: move ads->auth.time_offset to ads->config.time_offset X-Git-Tag: tdb-1.4.11~766 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bac243442a6ce812a4dcce0168b7d6d9ba0a17fc;p=thirdparty%2Fsamba.git s3:libads: move ads->auth.time_offset to ads->config.time_offset There's no reason to pass the LDAP servers time to the kerberos libraries, as we may talk to a KDC different than the LDAP server! Also Heimdal handles AS-REQ with KRB5KRB_AP_ERR_SKEW fine and retries with the time from the krb-error. MIT records the time from the KDC_ERR_PREAUTH_REQUIRED response in order to use the KDCs time. Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider --- diff --git a/source3/libads/kerberos_util.c b/source3/libads/kerberos_util.c index 7fca56d3741..0e98c3acca6 100644 --- a/source3/libads/kerberos_util.c +++ b/source3/libads/kerberos_util.c @@ -63,7 +63,7 @@ int ads_kinit_password(ADS_STRUCT *ads) } ret = kerberos_kinit_password_ext(s, ads->auth.password, - ads->auth.time_offset, + 0, NULL, NULL, ads->auth.ccache_name, false, false, 0, diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c index 5e3c96fb8d8..bb219baec80 100644 --- a/source3/libads/ldap.c +++ b/source3/libads/ldap.c @@ -3701,10 +3701,16 @@ ADS_STATUS ads_current_time(ADS_STRUCT *ads) ads->config.current_time = ads_parse_time(timestr); if (ads->config.current_time != 0) { - ads->auth.time_offset = ads->config.current_time - time(NULL); - DEBUG(4,("KDC time offset is %d seconds\n", ads->auth.time_offset)); + ads->config.time_offset = ads->config.current_time - time(NULL); + DBG_INFO("server time offset is %d seconds\n", + ads->config.time_offset); + } else { + ads->config.time_offset = 0; } + DBG_INFO("server time offset is %d seconds\n", + ads->config.time_offset); + ads_msgfree(ads, res); status = ADS_SUCCESS; diff --git a/source3/libads/util.c b/source3/libads/util.c index a1e33fd3b33..4bb97f81799 100644 --- a/source3/libads/util.c +++ b/source3/libads/util.c @@ -110,7 +110,7 @@ ADS_STATUS ads_change_trust_account_password(ADS_STRUCT *ads, char *host_princip talloc_keep_secret(new_pw_blob.data); new_password = (const char *)new_pw_blob.data; - ret = kerberos_set_password(ads->auth.kdc_server, host_principal, password, host_principal, new_password, ads->auth.time_offset); + ret = kerberos_set_password(ads->auth.kdc_server, host_principal, password, host_principal, new_password, 0); if (!ADS_ERR_OK(ret)) { status = ads_ntstatus(ret); diff --git a/source3/librpc/idl/ads.idl b/source3/librpc/idl/ads.idl index ded3c738d6d..49fafb37abf 100644 --- a/source3/librpc/idl/ads.idl +++ b/source3/librpc/idl/ads.idl @@ -52,7 +52,6 @@ interface ads string user_name; string kdc_server; ads_auth_flags flags; - int time_offset; string ccache_name; NTTIME expire_time; } ads_auth; @@ -66,6 +65,7 @@ interface ads string server_site_name; string client_site_name; time_t current_time; + int time_offset; string schema_path; string config_path; int ldap_page_size; diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c index df8517d1744..4350e5e9b41 100644 --- a/source3/utils/net_ads.c +++ b/source3/utils/net_ads.c @@ -553,7 +553,7 @@ static int net_ads_info_json(ADS_STRUCT *ads) } ret = json_add_int (&jsobj, "Server time offset", - ads->auth.time_offset); + ads->config.time_offset); if (ret != 0) { goto failure; } @@ -641,7 +641,7 @@ static int net_ads_info(struct net_context *c, int argc, const char **argv) http_timestring(tmp_ctx, ads->config.current_time)); d_printf(_("KDC server: %s\n"), ads->auth.kdc_server ); - d_printf(_("Server time offset: %d\n"), ads->auth.time_offset ); + d_printf(_("Server time offset: %d\n"), ads->config.time_offset ); d_printf(_("Last machine account password change: %s\n"), http_timestring(tmp_ctx, pass_time)); @@ -1023,8 +1023,7 @@ static int ads_user_add(struct net_context *c, int argc, const char **argv) goto done; } - status = ads_krb5_set_password(ads->auth.kdc_server, upn, argv[1], - ads->auth.time_offset); + status = ads_krb5_set_password(ads->auth.kdc_server, upn, argv[1], 0); if (ADS_ERR_OK(status)) { d_printf(_("User %s added\n"), argv[0]); rc = 0; @@ -2691,7 +2690,7 @@ static int net_ads_password(struct net_context *c, int argc, const char **argv) auth_password, user, new_password, - ads->auth.time_offset); + 0); memset(new_password, '\0', strlen(new_password)); if (!ADS_ERR_OK(status)) { d_fprintf(stderr, _("Password change failed: %s\n"), diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index 9764c874f77..e12972aa56d 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -747,7 +747,6 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, char *name_user = NULL; time_t ticket_lifetime = 0; time_t renewal_until = 0; - time_t time_offset = 0; const char *user_ccache_file; struct PAC_LOGON_INFO *logon_info = NULL; struct PAC_UPN_DNS_INFO *upn_dns_info = NULL; @@ -789,10 +788,6 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, /* 2nd step: * get kerberos properties */ - if (domain->backend_data.ads_conn != NULL) { - time_offset = domain->backend_data.ads_conn->auth.time_offset; - } - /* 3rd step: * do kerberos auth and setup ccache as the user */ @@ -858,7 +853,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, result = kerberos_return_pac(mem_ctx, principal_s, pass, - time_offset, + 0, /* time_offset */ &ticket_lifetime, &renewal_until, cc,