Hi there We just had a problem where a user couldn't connect to a Samba server that is a full ADS member. The same user could successfully connect to Windows2K3 servers. The problem was obvious - their clock was 5 hours out, and Samba rejected their connections with a "Failed to verify incoming ticket". Correcting the time fixed the fault. However, it remains that Samba rejected them when Windows servers didn't. Is that an option that can be enabled? Anything that makes Samba look more like Windows is a Good Thing (even if it violates the entire point of Kerberos! ;-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Jeremy Allison
2007-Mar-12 22:54 UTC
[Samba] Samba kerberos more time sensitive that Windows?
On Tue, Mar 13, 2007 at 11:50:14AM +1300, Jason Haar wrote:> Hi there > > We just had a problem where a user couldn't connect to a Samba server > that is a full ADS member. The same user could successfully connect to > Windows2K3 servers. > > The problem was obvious - their clock was 5 hours out, and Samba > rejected their connections with a "Failed to verify incoming ticket". > Correcting the time fixed the fault. However, it remains that Samba > rejected them when Windows servers didn't. > > Is that an option that can be enabled? Anything that makes Samba look > more like Windows is a Good Thing (even if it violates the entire point > of Kerberos! ;-)We need to know what the Windows server did in this case ? Did it give an error message that caused the client to fall back to an NTLM auth ? A capture trace would help here.... Jeremy.
Gerald (Jerry) Carter
2007-Mar-15 14:09 UTC
[Samba] Samba kerberos more time sensitive that Windows?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jason Haar wrote:> Hi there > > We just had a problem where a user couldn't connect to a Samba server > that is a full ADS member. The same user could successfully connect to > Windows2K3 servers. > > The problem was obvious - their clock was 5 hours out, and Samba > rejected their connections with a "Failed to verify incoming ticket". > Correcting the time fixed the fault. However, it remains that Samba > rejected them when Windows servers didn't. > > Is that an option that can be enabled? Anything that makes Samba look > more like Windows is a Good Thing (even if it violates the entire point > of Kerberos! ;-)Windows client apparently adjust their clocks based on the CLOCK_SKEW error returned in the negprot response. It's hard for us in this cases since we are not the OS. My recommendation is to setup ntpd to use the AD DCs as the time servers. cheers, jerry -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD4DBQFF+VOsIR7qMdg1EfYRAlk/AJdnirAAVBj5kOn6QkdXuQceKl6LAKCTIADN CFeqics6bhbuuZ6lycQU7w==qh18 -----END PGP SIGNATURE-----
Apparently Analagous Threads
- Cannot connect to Samba-3.0.23d (and earlier) from other trusted AD domains
- How do you properly use "--partial"?
- samba_dnsupdate failed with RuntimeError: kinit for SMB4ECONOMIA$@ECONOMIA failed (Cannot contact any KDC for requested realm)
- Can Asterisk "proxy" a SIP phone to make it look like a Cisco skinny softphone?
- Win2K3 DNS losing Samba DNS entries?