[Samba] Use case to test Clock skew on SAMBA4 (4.4.5)

Andrew Bartlett abartlet at samba.org
Sun Aug 28 19:23:46 UTC 2016 

On Sun, 2016-08-28 at 12:42 +0200, Marc Muehlfeld wrote:
> Hi Andrew,
> 
> Am 28.08.2016 um 11:05 schrieb Andrew Bartlett via samba:
> > 
> > Many clients will use the error generated above to re-sync their
> > clock
> > to the KDC, to avoid failure in this case.
> > 
> > Or, they will log in with NTLM over the NETLOGON service. 
> > 
> > Time in modern networks is just too fragile to allow for direct
> > failure
> > here, so a lot of work is done to avoid it, both by using NTP to
> > keep
> > time in sync, and to auto-skew to the KDC's time.
> 
> 
> 
> I tried yesterday what Biswajit tried: I shutdown ntpd on the DC and
> set
> the date to 12 days ago.
> 
> While I can successfully log in to the DC and access the file shares
> (only "Too large time skew, client time..." was logged), I can't
> access
> file shares on a Samba member server that has the same time like the
> client.
> 
> Additionally I tried a kinit from a different Linux host and I got a
> Kerberos ticket from the DC, that was already expired:
> 
> 
> Time on the Samba AD DC:
> [root at DC1 ~]# date
> Mo 15. Aug 15:19:42 CEST 2016
> 
> 
> 
> 
> Time on the Linux Client (almost 12 days ahead):
> [root at M1 ~]# date
> Sa 27. Aug 18:52:33 CEST 2016
> 
> [root at M1 ~]# kinit administrator at SAMDOM.EXAMPLE.COM
> Password for administrator at SAMDOM.EXAMPLE.COM:
> 
> [root at M1 ~]# klist
> Ticket cache: KEYRING:persistent:0:0
> Default principal: administrator at SAMDOM.EXAMPLE.COM
> 
> Valid starting       Expires              Service principal
> 15.08.2016 15:18:10  16.08.2016 01:18:10
> krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
> 	renew until 22.08.2016 15:18:07
> 
> 
> 
> Is this really expected?

I'm sorry if you interpreted my comments as meaning this would be
seamless:  Time sync is critical to the correct behaviour and the
security of the system.  

It is just that our clients try to cope in the trivial cases where just
the client is out of sync.

To work out expected behaviour further, a comparison with Windows would
be worthwhile.

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list