From 83011d97d17bd00e99ccf1e0302167a6bc0db84e Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Nov 29 2013 10:58:22 +0000 Subject: KRB5: Go offline in case of clock skew https://fedorahosted.org/sssd/ticket/1096 In case the KDC has skewed time, we can retry with the next one and eventually go offline if no KDC has time in sync with the client. Previously, authentication with wrong time resulted in System Error. --- diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index bd937e8..5859223 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -986,6 +986,7 @@ static errno_t map_krb5_error(krb5_error_code kerr) case KRB5_LIBOS_CANTREADPWD: return ERR_NO_CREDS; + case KRB5KRB_AP_ERR_SKEW: case KRB5_KDC_UNREACH: case KRB5_REALM_CANT_RESOLVE: return ERR_NETWORK_IO;