[Samba] Samba kerberos more time sensitive that Windows?
Gerald (Jerry) Carter
jerry at samba.org
Thu Mar 15 14:09:48 GMT 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jason Haar wrote:
> Hi there
>
> We just had a problem where a user couldn't connect to a Samba server
> that is a full ADS member. The same user could successfully connect to
> Windows2K3 servers.
>
> The problem was obvious - their clock was 5 hours out, and Samba
> rejected their connections with a "Failed to verify incoming ticket".
> Correcting the time fixed the fault. However, it remains that Samba
> rejected them when Windows servers didn't.
>
> Is that an option that can be enabled? Anything that makes Samba look
> more like Windows is a Good Thing (even if it violates the entire point
> of Kerberos! ;-)
Windows client apparently adjust their clocks based on the
CLOCK_SKEW error returned in the negprot response. It's hard
for us in this cases since we are not the OS.
My recommendation is to setup ntpd to use the AD DCs as
the time servers.
cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD4DBQFF+VOsIR7qMdg1EfYRAlk/AJdnirAAVBj5kOn6QkdXuQceKl6LAKCTIADN
CFeqics6bhbuuZ6lycQU7w==
=qh18
-----END PGP SIGNATURE-----
More information about the samba
mailing list