[Samba] Samba kerberos more time sensitive that Windows?

Gerald (Jerry) Carter jerry at samba.org
Thu Mar 15 14:09:48 GMT 2007

Hash: SHA1

Jason Haar wrote:
> Hi there
> We just had a problem where a user couldn't connect to a Samba server
> that is a full ADS member. The same user could successfully connect to
> Windows2K3 servers.
> The problem was obvious - their clock was 5 hours out, and Samba
> rejected their connections with a "Failed to verify incoming ticket".
> Correcting the time fixed the fault. However, it remains that Samba
> rejected them when Windows servers didn't.
> Is that an option that can be enabled? Anything that makes Samba look
> more like Windows is a Good Thing (even if it violates the entire point
> of Kerberos! ;-)

Windows client apparently adjust their clocks based on the
CLOCK_SKEW error returned in the negprot response.  It's hard
for us in this cases since we are not the OS.

My recommendation is to setup ntpd to use the AD DCs as
the time servers.

cheers, jerry
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the samba mailing list