[Samba] ads net join with clock skew

Eyal_Marcus at DELL.com Eyal_Marcus at DELL.com
Sun Feb 20 08:57:44 MST 2011


We are upgrading the Samba deployment version from 3.0.37 to 3.5.4 and on the new version we've discovered  that we could use 'ads net join' to join the domain even when there is a clock skew that is "too great" (We tried 12 hours, days, and even a year, time zone is the same time zone).
Also when changing the server's time (to a different time from the join time), it allows us to leave the domain using "net ads leave" (meaning the Kerberos is able to validate the username/password).

On Samba ver. 3.0.37, we tried the same thing, it returned the Clock skew is too great.
I've also tried it on Samba 3.6.0 - same result as 3.5.4

When trying to use kinit with the same user/password it fails with the clock skew error.

I'm not sure about this but I don't think it is a desired behavior to be able to join a domain  when the clock skew is too big.
If there is an explanation for why this is a desired, and good behavior, I would appreciate it if you could share it.

Eyal Marcus
eyal_marcus at dell.com<mailto:meyal_marcus at dell.com>

More information about the samba mailing list