The Samba-Bugzilla – Bug 4924
KERBEROS: Clock skew too great
Last modified: 2010-03-30 14:53:37 UTC
If the time skew between the client and server is to great, on the client is displayed a message box about a unknown user or password when you try to signup to the server (f.e. when joining the domain). This is very misleading, because you can see the real issue only on the server with a higher debuglevel. This should really be changed!
Metze: you had some more details on how to make the clock skew issue 'auto-correct'. I thought we had this working, but perhaps something has changed?
Yes, ok this could be also the solution! But I thought simply to modify the text of the messagebox from "bad username or password" in "timeskew to great", so that users are informed!
We don't send the text, and I'll need to look into exactly what is returning the error code. We may be able to make it behave better.
what client is that? windows?
I need a network capture of this...
Andrew, maybe the the heimdal merges have broken
this again. The trick was not to send the 'e-text'
field in the reply with KRB5KRB_AP_ERR_SKEW
For make this more clear:
- You have the SAMBA 4 server set up (with provisioning) and a windows professional machine (I've Win2k)
- You want to join the domain (click right on the "My Computer" icon, second tab, "Properties", "Domain", type in the dns domainname, click on OK)
- If the time skew between the potential domain client and SAMBA 4 server is too great, on the client side there is displayed a message telling that there was given a wrong username or wrong password
- But if you turn up the debuglevel on the server side, you can see the real issue "Kerberos: Time skew to great". So the client isn't joined yet!
- I only thought to provide a way, to change the message on the client side. In fact the error confused me since TP1.
Windows will auto-adjust to the skew, based on the returned time, if we get things right. This allows a bootstrapping into the join. Later, we should add authenticated NTP to finish the authenticated provision of time.
We should look at the behviour of Samba3, which has an experimental fix for this in smbd/sesssetup.c:300
On the domain controller (only) we can return a magic response if the time is out of sync with the client.
And that should mean that we've fixed it, Andrew?
No, this means we need to do (possibly significant) additional work to get this all handled correctly, but we have a place to start, based on the investigations of others.
Okay, now there is displayed the correct error message (tested).
Would you like to continue to fix this with the automatic time synchronisation and so leave this bug open?
So the windows client shows a useful error message now?
Or do you mean samba4's client utils show a better error message now,
which they should with commit d6c54a66fb23c784ef221a3c1cf766b72bdb5a0b
with this commit samba4 also sends KRB-ERROR packets in GSSAPI replies.
I have an hacked patch to do the retry logic for our client side.
Love, could you please try to implement this the right way:-)
If however the bug is about a windows client not doing the retries,
I need capture of it.
The message box on the client side doesn't print "Unknown user" anymore, but the right reason "Time skew too great", when a trial to join a domain is performed.
Does it also happen with a windows domain controller?
Can you provide a wireshark capture of the join (try) please.
Created attachment 3477 [details]
Here a wireshark capture
Client: vmware-win2k2 - 192.168.2.9 (Windows 2000 Prof. SP4)
Server: vmware-samba4 - 192.168.2.10 (Latest SAMBA 4 GIT)
Metze, had you a chance to continue to work on this?
Love, I think this problem affects also heimdal kerberos and not only kerberos in conjunction with s4. Could you comment this (for example metze's patch: http://gitweb.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=22b7cf385de)?
I think we should close this issue. The actual state is acceptable (when the synchronisation isn't possible we get a dialog box which tells us this).