[Samba] Use case to test Clock skew on SAMBA4 (4.4.5)

Marc Muehlfeld mmuehlfeld at samba.org
Sun Aug 28 10:42:58 UTC 2016

Hi Andrew,

Am 28.08.2016 um 11:05 schrieb Andrew Bartlett via samba:
> Many clients will use the error generated above to re-sync their clock
> to the KDC, to avoid failure in this case.
> Or, they will log in with NTLM over the NETLOGON service. 
> Time in modern networks is just too fragile to allow for direct failure
> here, so a lot of work is done to avoid it, both by using NTP to keep
> time in sync, and to auto-skew to the KDC's time.

I tried yesterday what Biswajit tried: I shutdown ntpd on the DC and set
the date to 12 days ago.

While I can successfully log in to the DC and access the file shares
(only "Too large time skew, client time..." was logged), I can't access
file shares on a Samba member server that has the same time like the client.

Additionally I tried a kinit from a different Linux host and I got a
Kerberos ticket from the DC, that was already expired:

Time on the Samba AD DC:
[root at DC1 ~]# date
Mo 15. Aug 15:19:42 CEST 2016

Time on the Linux Client (almost 12 days ahead):
[root at M1 ~]# date
Sa 27. Aug 18:52:33 CEST 2016

[root at M1 ~]# kinit administrator at SAMDOM.EXAMPLE.COM
Password for administrator at SAMDOM.EXAMPLE.COM:

[root at M1 ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: administrator at SAMDOM.EXAMPLE.COM

Valid starting       Expires              Service principal
15.08.2016 15:18:10  16.08.2016 01:18:10
	renew until 22.08.2016 15:18:07

Is this really expected?


More information about the samba mailing list