<quote from="Gerald (Jerry) Carter"> Jason Haar wrote: > Hi there > > We just had a problem where a user couldn't connect to a Samba server > that is a full ADS member. The same user could successfully connect to > Windows2K3 servers. > > The problem was obvious - their clock was 5 hours out, and Samba > rejected their connections with a "Failed to verify incoming ticket". > Correcting the time fixed the fault. However, it remains that Samba > rejected them when Windows servers didn't. > > Is that an option that can be enabled? Anything that makes Samba look > more like Windows is a Good Thing (even if it violates the entire point > of Kerberos! ;-)
Windows client apparently adjust their clocks based on the CLOCK_SKEW error returned in the negprot response. It's hard for us in this cases since we are not the OS. </quote> Not quite. Basically, in the krb5 error, the Windows server sends back a server time to the client. The client uses this time to re-issue the krb5 auth request with a new authenticator generated using the server time. This is not subject to man-in-the-middle. So, IIRC, the fundamental issue is that the Samba server's krb5 response does not include its time information. This came up on the list last September: http://lists.samba.org/archive/samba/2006-September/125610.html Which pointed to a response on the kerberos list: http://mailman.mit.edu/pipermail/kerberos/2006-September/010482.html - Danilo
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
