[Samba] Samba kerberos more time sensitive that Windows?

Jeremy Allison jra at samba.org
Thu Mar 15 15:56:15 GMT 2007

On Thu, Mar 15, 2007 at 09:09:48AM -0500, Gerald (Jerry) Carter wrote:
> Hash: SHA1
> Jason Haar wrote:
> > Hi there
> > 
> > We just had a problem where a user couldn't connect to a Samba server
> > that is a full ADS member. The same user could successfully connect to
> > Windows2K3 servers.
> > 
> > The problem was obvious - their clock was 5 hours out, and Samba
> > rejected their connections with a "Failed to verify incoming ticket".
> > Correcting the time fixed the fault. However, it remains that Samba
> > rejected them when Windows servers didn't.
> > 
> > Is that an option that can be enabled? Anything that makes Samba look
> > more like Windows is a Good Thing (even if it violates the entire point
> > of Kerberos! ;-)
> Windows client apparently adjust their clocks based on the
> CLOCK_SKEW error returned in the negprot response.  It's hard
> for us in this cases since we are not the OS.

Do you mean the CLOCK_SKEW returned in the SessionsetupX 
call ? If so I'm testing a patch that will allow smbd
to return the same error....


More information about the samba mailing list