[Samba] Samba kerberos more time sensitive that Windows?

[Danilo Almeida]

<quote from="Gerald (Jerry) Carter">
Jason Haar wrote:
> Hi there
> 
> We just had a problem where a user couldn't connect to a Samba server
> that is a full ADS member. The same user could successfully connect to
> Windows2K3 servers.
> 
> The problem was obvious - their clock was 5 hours out, and Samba
> rejected their connections with a "Failed to verify incoming ticket".
> Correcting the time fixed the fault. However, it remains that Samba
> rejected them when Windows servers didn't.
> 
> Is that an option that can be enabled? Anything that makes Samba look
> more like Windows is a Good Thing (even if it violates the entire point
> of Kerberos! ;-)

Windows client apparently adjust their clocks based on the
CLOCK_SKEW error returned in the negprot response.  It's hard
for us in this cases since we are not the OS.
</quote>

Not quite. 

Basically, in the krb5 error, the Windows server sends back a server time to the client.  The client uses this time to re-issue the krb5 auth request with a new authenticator generated using the server time.  This is not subject to man-in-the-middle.

So, IIRC, the fundamental issue is that the Samba server's krb5 response does not include its time information.

This came up on the list last September:
http://lists.samba.org/archive/samba/2006-September/125610.html

Which pointed to a response on the kerberos list:
http://mailman.mit.edu/pipermail/kerberos/2006-September/010482.html

- Danilo