Why use krb5_set_real_time() instead of NTP ?
Stefan (metze) Metzmacher
metze at samba.org
Wed May 10 09:17:36 GMT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Gerald (Jerry) Carter schrieb:
> Luke Howard wrote:
>>> Well, you don't have to change the system time (of course whether
>>> you securely know what the KDC time is is another matter).
>>> >From the Heimdal code:
>>> * Set the absolute time that the caller knows the kdc has so the
>>> * kerberos library can calculate the relative diffrence beteen the
>>> * KDC time and local system time.
> Maybe I'm being dense here, but is this really the case of
> a user space application working around trying to work around
> an unsynchronized system clock on the client ?
that's what windows also does.
When windows gets the CLOCK_SKEW error to a kdc request it uses the time
field in the error response and then retries the request. It also looks
at the error string fieled in this case, I assume the NTSTATUS code
should be in there to make this work.
I fixed this against samba4 by sending no error string at all, at the
windows clients are happy to retry against samba4 now too.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the samba-technical