URL:
https://github.com/SSSD/sssd/pull/328
Title: #328: KRB5: Return invalid credentials internally when attempting to renew an
expired TGT
jhrozek commented:
"""
Yes, I tested that we switch to offline mode with a clock skew so bad it triggers a
libkrb5 error:
```
(Mon Jul 24 19:36:04 2017) [[sssd[krb5_child[11924]]]] [map_krb5_error] (0x0020): 1657:
[-1765328352][Ticket expired]
(Mon Jul 24 19:36:04 2017) [[sssd[krb5_child[11924]]]] [k5c_send_data] (0x0200): Received
error code 1432158229
(Mon Jul 24 19:36:04 2017) [[sssd[krb5_child[11924]]]] [pack_response_packet] (0x2000):
response packet size: [4]
(Mon Jul 24 19:36:04 2017) [[sssd[krb5_child[11924]]]] [k5c_send_data] (0x4000): Response
sent.
(Mon Jul 24 19:36:04 2017) [[sssd[krb5_child[11924]]]] [main] (0x0400): krb5_child
completed successfully
(Mon Jul 24 19:36:04 2017) [sssd[be[ipa.test]]] [read_pipe_handler] (0x0400): EOF
received, client finished
(Mon Jul 24 19:36:04 2017) [sssd[be[ipa.test]]] [_be_fo_set_port_status] (0x8000): Setting
status: PORT_NOT_WORKING. Called from: /sssd/src/providers/krb5/krb5_auth.c:
krb5_auth_done: 986
(Mon Jul 24 19:36:04 2017) [sssd[be[ipa.test]]] [fo_set_port_status] (0x0100): Marking
port 0 of server 'unidirect.ipa.test' as 'not working'
(Mon Jul 24 19:36:04 2017) [sssd[be[ipa.test]]] [fo_set_port_status] (0x0400): Marking
port 0 of duplicate server 'unidirect.ipa.test' as 'not working'
```
There is no automated test yet. We really need to merge the pam_wrapper integration --
once we have that, it should be trivial to expand the KDC tests we already have because of
KCM to also call into a pam_wrapper conversation to trigger a krb5_auth request. But
I'm not sure it would be easy to simulate a clock skew without mocking quite a few
interfaces or true multi-host tests.
If you're OK with pushing the patches, please add the Accepted label..
"""
See the full comment at
https://github.com/SSSD/sssd/pull/328#issuecomment-317532064