[Samba] Samba kerberos more time sensitive that Windows?

Guenther Deschner gd at samba.org
Thu Mar 15 16:06:22 GMT 2007

Jeremy Allison wrote:
> On Thu, Mar 15, 2007 at 09:09:48AM -0500, Gerald (Jerry) Carter wrote:
>> Hash: SHA1
>> Jason Haar wrote:
>>> Hi there
>>> We just had a problem where a user couldn't connect to a Samba server
>>> that is a full ADS member. The same user could successfully connect to
>>> Windows2K3 servers.
>>> The problem was obvious - their clock was 5 hours out, and Samba
>>> rejected their connections with a "Failed to verify incoming ticket".
>>> Correcting the time fixed the fault. However, it remains that Samba
>>> rejected them when Windows servers didn't.
>>> Is that an option that can be enabled? Anything that makes Samba look
>>> more like Windows is a Good Thing (even if it violates the entire point
>>> of Kerberos! ;-)
>> Windows client apparently adjust their clocks based on the
>> CLOCK_SKEW error returned in the negprot response.  It's hard
>> for us in this cases since we are not the OS.
> Do you mean the CLOCK_SKEW returned in the SessionsetupX 
> call ? If so I'm testing a patch that will allow smbd
> to return the same error....

I'm also finishing up a patch to always get the NT_STATUS codes out of 
the KRB_ERROR packets directly (in that case is 
NT_STATUS_TIME_DIFFERENCE_AT_DC). Will work only for Heimdal currently 


Günther Deschner                    GPG-ID: 8EE11688
Red Hat                         gdeschner at redhat.com
Samba Team                              gd at samba.org

More information about the samba mailing list