[Samba] Use case to test Clock skew on SAMBA4 (4.4.5)
Marc Muehlfeld
mmuehlfeld at samba.org
Sun Aug 28 10:42:58 UTC 2016
Hi Andrew,
Am 28.08.2016 um 11:05 schrieb Andrew Bartlett via samba:
> Many clients will use the error generated above to re-sync their clock
> to the KDC, to avoid failure in this case.
>
> Or, they will log in with NTLM over the NETLOGON service.
>
> Time in modern networks is just too fragile to allow for direct failure
> here, so a lot of work is done to avoid it, both by using NTP to keep
> time in sync, and to auto-skew to the KDC's time.
I tried yesterday what Biswajit tried: I shutdown ntpd on the DC and set
the date to 12 days ago.
While I can successfully log in to the DC and access the file shares
(only "Too large time skew, client time..." was logged), I can't access
file shares on a Samba member server that has the same time like the client.
Additionally I tried a kinit from a different Linux host and I got a
Kerberos ticket from the DC, that was already expired:
Time on the Samba AD DC:
[root at DC1 ~]# date
Mo 15. Aug 15:19:42 CEST 2016
Time on the Linux Client (almost 12 days ahead):
[root at M1 ~]# date
Sa 27. Aug 18:52:33 CEST 2016
[root at M1 ~]# kinit administrator at SAMDOM.EXAMPLE.COM
Password for administrator at SAMDOM.EXAMPLE.COM:
[root at M1 ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: administrator at SAMDOM.EXAMPLE.COM
Valid starting Expires Service principal
15.08.2016 15:18:10 16.08.2016 01:18:10
krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
renew until 22.08.2016 15:18:07
Is this really expected?
Regards,
Marc
More information about the samba
mailing list