Hi all,
It seems we hit a "year 2038" related problem in the IPA-client
(krb5_child). We're using IPA for service accounts and to be shure these
accounts will not expire, we created a password policy:
ipa pwpolicy-show service_accounts
Group: service_accounts
Max lifetime (days): 9999
...
To be on the safe site, the max life time is set to 9999 days. That's
well beyond 19 January 2038 03:14:07 UTC...
Now, in case a service accounts will login, the krb5_child.log on the
IPA client will show errors like:
(2025-03-03 11:55:12): [krb5_child[2058626]]
[sss_krb5_expire_callback_func] (0x0020): [RID#5037] Time to expire out
of range.
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING
BACKTRACE:
* (2025-03-03 11:55:12): [krb5_child[2058626]] [main] (0x0400):
[RID#5037] krb5_child started.
* (2025-03-03 11:55:12): [krb5_child[2058626]] [unpack_buffer]
(0x1000): [RID#5037] total buffer size: [144]
* (2025-03-03 11:55:12): [krb5_child[2058626]] [unpack_buffer]
(0x0100): [RID#5037] cmd [241 (auth)] uid [100045] gid [100045] validate
[true] enterprise principal [false] offline [false] UPN
[[email protected]]
* (2025-03-03 11:55:12): [krb5_child[2058626]] [unpack_buffer]
(0x0100): [RID#5037] ccname: [KCM:] old_ccname: [KCM:] keytab:
[/etc/krb5.keytab]
* (2025-03-03 11:55:12): [krb5_child[2058626]] [switch_creds]
(0x0200): [RID#5037] Switch user to [100045][100045].
* (2025-03-03 11:55:12): [krb5_child[2058626]] [switch_creds]
(0x0200): [RID#5037] Switch user to [0][0].
* (2025-03-03 11:55:12): [krb5_child[2058626]]
[k5c_check_old_ccache] (0x4000): [RID#5037] Ccache_file is [KCM:] and is
not active and TGT is valid.
* (2025-03-03 11:55:12): [krb5_child[2058626]]
[k5c_precreate_ccache] (0x4000): [RID#5037] Recreating ccache
* (2025-03-03 11:55:12): [krb5_child[2058626]] [k5c_setup_fast]
(0x0100): [RID#5037] Fast principal is set to
[host/[email protected]]
* (2025-03-03 11:55:12): [krb5_child[2058626]]
[find_principal_in_keytab] (0x4000): [RID#5037] Trying to find principal
host/[email protected] in keytab.
* (2025-03-03 11:55:12): [krb5_child[2058626]] [match_principal]
(0x1000): [RID#5037] Principal matched to the sample
(host/[email protected]).
* (2025-03-03 11:55:12): [krb5_child[2058626]] [check_fast_ccache]
(0x0200): [RID#5037] FAST TGT is still valid.
* (2025-03-03 11:55:12): [krb5_child[2058626]] [become_user]
(0x0200): [RID#5037] Trying to become user [100045][100045].
* (2025-03-03 11:55:12): [krb5_child[2058626]] [main] (0x2000):
[RID#5037] Running as [100045][100045].
* (2025-03-03 11:55:12): [krb5_child[2058626]]
[set_lifetime_options] (0x0100): [RID#5037] No specific renewable
lifetime requested.
* (2025-03-03 11:55:12): [krb5_child[2058626]]
[set_lifetime_options] (0x0100): [RID#5037] No specific lifetime
requested.
* (2025-03-03 11:55:12): [krb5_child[2058626]]
[set_canonicalize_option] (0x0100): [RID#5037] Canonicalization is set
to [true]
* (2025-03-03 11:55:12): [krb5_child[2058626]] [main] (0x0400):
[RID#5037] Will perform auth
* (2025-03-03 11:55:12): [krb5_child[2058626]] [main] (0x0400):
[RID#5037] Will perform online auth
* (2025-03-03 11:55:12): [krb5_child[2058626]] [tgt_req_child]
(0x1000): [RID#5037] Attempting to get a TGT
* (2025-03-03 11:55:12): [krb5_child[2058626]] [get_and_save_tgt]
(0x0400): [RID#5037] Attempting kinit for realm [SOME-DOMAIN.LAN]
* (2025-03-03 11:55:12): [krb5_child[2058626]] [sss_krb5_responder]
(0x4000): [RID#5037] Got question [password].
* (2025-03-03 11:55:12): [krb5_child[2058626]]
[sss_krb5_expire_callback_func] (0x0020): [RID#5037] Time to expire out
of range.
********************** BACKTRACE DUMP ENDS HERE
*********************************
Doing some more testing:
ipa user-mod some_service_account --password-expiration='2038-01-19
03:14:06Z' --> de errors will disappear (one second before the
"Epochalypse")
ipa user-mod some_service_account --password-expiration='2038-01-19
03:14:08Z' --> the error returns! (one second after the "Epochalypse")
For now, setting the expiry date below January 19 2038 is OK, but it
smells like a bug, doesn't it...?
Should a bug report created on this topic? Where?
Kind regards,
Winfried
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
