[Samba] Use case to test Clock skew on SAMBA4 (4.4.5)

Andrew Bartlett abartlet at samba.org
Sun Aug 28 09:05:31 UTC 2016

On Sat, 2016-08-27 at 19:56 +0530, Biswajit Banerjee via samba wrote:
> Hi Experts ,
> I have a situation where I have to demonstrate that if the time 
> difference between  Samba4 (AD) and Windows Client is more that 5 Min
>> as per Kerbrose ) , the user should note be allowed to login via
> that 
> windows PC .
> When I simulate it I get Clock skew in the logs ( as shown below )
> but 
> the user is allowed to login .
> / Kerberos: Too large time skew, client time 2016-08-27T17:08:26 is
> out 
> by 7280 > 300 seconds -- sysinfo$@MYDOMAIN.LOCAL//
> // Kerberos: Too large time skew, client time 2016-08-27T17:11:56 is
> out 
> by 7280 > 300 seconds -- brijesh.vishwakarma at MYDOMAIN.LOCAL/
> Is it the right Use case to demonstrate ? If yes then why is the
> case 
> failing .
> If No , what can be right use case to demonstrate ?

Many clients will use the error generated above to re-sync their clock
to the KDC, to avoid failure in this case.

Or, they will log in with NTLM over the NETLOGON service. 

Time in modern networks is just too fragile to allow for direct failure
here, so a lot of work is done to avoid it, both by using NTP to keep
time in sync, and to auto-skew to the KDC's time.

I hope this helps clarify things,

Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list