[Samba] Samba kerberos more time sensitive that Windows?
Jeremy Allison
jra at samba.org
Thu Mar 15 15:56:15 GMT 2007
On Thu, Mar 15, 2007 at 09:09:48AM -0500, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Jason Haar wrote:
> > Hi there
> >
> > We just had a problem where a user couldn't connect to a Samba server
> > that is a full ADS member. The same user could successfully connect to
> > Windows2K3 servers.
> >
> > The problem was obvious - their clock was 5 hours out, and Samba
> > rejected their connections with a "Failed to verify incoming ticket".
> > Correcting the time fixed the fault. However, it remains that Samba
> > rejected them when Windows servers didn't.
> >
> > Is that an option that can be enabled? Anything that makes Samba look
> > more like Windows is a Good Thing (even if it violates the entire point
> > of Kerberos! ;-)
>
> Windows client apparently adjust their clocks based on the
> CLOCK_SKEW error returned in the negprot response. It's hard
> for us in this cases since we are not the OS.
Do you mean the CLOCK_SKEW returned in the SessionsetupX
call ? If so I'm testing a patch that will allow smbd
to return the same error....
Jeremy.
More information about the samba
mailing list