[Samba] Samba kerberos more time sensitive that Windows?

Danilo Almeida dalmeida at centeris.com
Thu Apr 26 18:40:57 GMT 2007

<quote from="Gerald (Jerry) Carter">
Jason Haar wrote:
> Hi there
> We just had a problem where a user couldn't connect to a Samba server
> that is a full ADS member. The same user could successfully connect to
> Windows2K3 servers.
> The problem was obvious - their clock was 5 hours out, and Samba
> rejected their connections with a "Failed to verify incoming ticket".
> Correcting the time fixed the fault. However, it remains that Samba
> rejected them when Windows servers didn't.
> Is that an option that can be enabled? Anything that makes Samba look
> more like Windows is a Good Thing (even if it violates the entire point
> of Kerberos! ;-)

Windows client apparently adjust their clocks based on the
CLOCK_SKEW error returned in the negprot response.  It's hard
for us in this cases since we are not the OS.

Not quite. 

Basically, in the krb5 error, the Windows server sends back a server time to the client.  The client uses this time to re-issue the krb5 auth request with a new authenticator generated using the server time.  This is not subject to man-in-the-middle.

So, IIRC, the fundamental issue is that the Samba server's krb5 response does not include its time information.

This came up on the list last September:

Which pointed to a response on the kerberos list:

- Danilo

More information about the samba mailing list