[Samba] Samba kerberos more time sensitive that Windows?
Danilo Almeida
dalmeida at centeris.com
Thu Apr 26 18:40:57 GMT 2007
<quote from="Gerald (Jerry) Carter">
Jason Haar wrote:
> Hi there
>
> We just had a problem where a user couldn't connect to a Samba server
> that is a full ADS member. The same user could successfully connect to
> Windows2K3 servers.
>
> The problem was obvious - their clock was 5 hours out, and Samba
> rejected their connections with a "Failed to verify incoming ticket".
> Correcting the time fixed the fault. However, it remains that Samba
> rejected them when Windows servers didn't.
>
> Is that an option that can be enabled? Anything that makes Samba look
> more like Windows is a Good Thing (even if it violates the entire point
> of Kerberos! ;-)
Windows client apparently adjust their clocks based on the
CLOCK_SKEW error returned in the negprot response. It's hard
for us in this cases since we are not the OS.
</quote>
Not quite.
Basically, in the krb5 error, the Windows server sends back a server time to the client. The client uses this time to re-issue the krb5 auth request with a new authenticator generated using the server time. This is not subject to man-in-the-middle.
So, IIRC, the fundamental issue is that the Samba server's krb5 response does not include its time information.
This came up on the list last September:
http://lists.samba.org/archive/samba/2006-September/125610.html
Which pointed to a response on the kerberos list:
http://mailman.mit.edu/pipermail/kerberos/2006-September/010482.html
- Danilo
More information about the samba
mailing list