FULL PRODUCT VERSION :
A DESCRIPTION OF THE PROBLEM :
In the Kerberos procotol, current client timestamp is encapsulated in the Kerberos query sent to the KDC to obtain a TGT. The timestamp in the query must be accurate (The KDC timestamp accepts 5mn deviation in most case); if not the KDC return a "Clock too skew" error.
To obtain the current Timestamp, previously in the JDK 6, the 'KerberosTime' 'setNow()' method instanciates a 'new Date()' object . A JDK 7 bug fix (http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6882687) introduces a major change in this class. The current timestamp is evaluated using the time elapsed since the JVM startup (use of System.nanoTime()).
This implementation totally misses the fact that both client and server generally use a time server (NTP) to synchronize their clocks. Clock adjustement is not taking into account in the current implementation while the previous implementation does.
REGRESSION. Last worked in version 6u26
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Develop a small Java client application that queries a KDC to obtain TGT each minutes. (Both client and KDC are hosted on the same machine)
2. Run the Java application.
3. Set the system clock and add 15 minutes to the current time
EXPECTED VERSUS ACTUAL BEHAVIOR :
The KDC continues to deliver client TGT using the new time
The KDC returns an error 'Clock skew too great'
ERROR MESSAGES/STACK TRACES THAT OCCUR :
The Java application thrown an Exception javax.security.auth.login.LoginException: Clock skew too great (37) - PREAUTH_FAILED
This bug can be reproduced always.