Bug 4924 - KERBEROS: Clock skew too great
Summary: KERBEROS: Clock skew too great
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: unspecified
Hardware: All All
: P3 normal (vote)
Target Milestone: ---
Assignee: Stefan Metzmacher
QA Contact: samba4-qa@samba.org
Depends on:
Reported: 2007-08-29 01:46 UTC by Matthias Dieter Wallnöfer
Modified: 2010-03-30 14:53 UTC (History)
3 users (show)

See Also:

Here a wireshark capture (37.05 KB, application/octet-stream)
2008-08-14 13:33 UTC, Matthias Dieter Wallnöfer
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Dieter Wallnöfer 2007-08-29 01:46:10 UTC
If the time skew between the client and server is to great, on the client is displayed a message box about a unknown user or password when you try to signup to the server (f.e. when joining the domain). This is very misleading, because you can see the real issue only on the server with a higher debuglevel. This should really be changed!
Comment 1 Andrew Bartlett 2007-08-30 00:43:07 UTC
Metze:  you had some more details on how to make the clock skew issue 'auto-correct'.  I thought we had this working, but perhaps something has changed?
Comment 2 Matthias Dieter Wallnöfer 2007-08-30 01:06:22 UTC
Yes, ok this could be also the solution! But I thought simply to modify the text of the messagebox from "bad username or password" in "timeskew to great", so that users are informed!
Comment 3 Andrew Bartlett 2007-09-03 00:09:20 UTC
We don't send the text, and I'll need to look into exactly what is returning the error code.  We may be able to make it behave better. 
Comment 4 Stefan Metzmacher 2007-09-03 04:00:32 UTC
what client is that? windows?

I need a network capture of this...

Andrew, maybe the the heimdal merges have broken
this again. The trick was not to send the 'e-text'
field in the reply with KRB5KRB_AP_ERR_SKEW
Comment 5 Matthias Dieter Wallnöfer 2007-09-03 05:46:40 UTC
For make this more clear:
- You have the SAMBA 4 server set up (with provisioning) and a windows professional machine (I've Win2k)
- You want to join the domain (click right on the "My Computer" icon, second tab, "Properties", "Domain", type in the dns domainname, click on OK)
- If the time skew between the potential domain client and SAMBA 4 server is too great, on the client side there is displayed a message telling that there was given a wrong username or wrong password
- But if you turn up the debuglevel on the server side, you can see the real issue "Kerberos: Time skew to great". So the client isn't joined yet!
- I only thought to provide a way, to change the message on the client side. In fact the error confused me since TP1.
Comment 6 Andrew Bartlett 2007-09-03 05:49:15 UTC
Windows will auto-adjust to the skew, based on the returned time, if we get things right.  This allows a bootstrapping into the join.  Later, we should add authenticated NTP to finish the authenticated provision of time. 
Comment 7 Andrew Bartlett 2007-09-21 05:45:36 UTC
We should look at the behviour of Samba3, which has an experimental fix for this in smbd/sesssetup.c:300

On the domain controller (only) we can return a magic response if the time is out of sync with the client. 
Comment 8 Matthias Dieter Wallnöfer 2007-09-21 06:42:54 UTC
And that should mean that we've fixed it, Andrew?
Comment 9 Andrew Bartlett 2007-09-21 17:54:08 UTC
No, this means we need to do (possibly significant) additional work to get this all handled correctly, but we have a place to start, based on the investigations of others. 
Comment 10 Matthias Dieter Wallnöfer 2008-08-14 12:30:24 UTC
Okay, now there is displayed the correct error message (tested).
Would you like to continue to fix this with the automatic time synchronisation and so leave this bug open?
Comment 11 Stefan Metzmacher 2008-08-14 13:16:31 UTC
So the windows client shows a useful error message now?

Or do you mean samba4's client utils show a better error message now,
which they should with commit d6c54a66fb23c784ef221a3c1cf766b72bdb5a0b
with this commit samba4 also sends KRB-ERROR packets in GSSAPI replies.

I have an hacked patch to do the retry logic for our client side.
Love, could you please try to implement this the right way:-)

If however the bug is about a windows client not doing the retries,
I need capture of it.
Comment 12 Matthias Dieter Wallnöfer 2008-08-14 13:22:02 UTC
The message box on the client side doesn't print "Unknown user" anymore, but the right reason "Time skew too great", when a trial to join a domain is performed.
Comment 13 Stefan Metzmacher 2008-08-14 13:26:56 UTC
Does it also happen with a windows domain controller?

Can you provide a wireshark capture of the join (try) please.

Comment 14 Matthias Dieter Wallnöfer 2008-08-14 13:33:52 UTC
Created attachment 3477 [details]
Here a wireshark capture

Client: vmware-win2k2 - (Windows 2000 Prof. SP4)
Server: vmware-samba4 - (Latest SAMBA 4 GIT)
Comment 15 Matthias Dieter Wallnöfer 2009-07-12 15:17:58 UTC
Metze, had you a chance to continue to work on this?
Comment 16 Matthias Dieter Wallnöfer 2010-02-13 07:21:43 UTC
Love, I think this problem affects also heimdal kerberos and not only kerberos in conjunction with s4. Could you comment this (for example metze's patch: http://gitweb.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=22b7cf385de)?
Comment 17 Matthias Dieter Wallnöfer 2010-03-30 14:53:37 UTC
I think we should close this issue. The actual state is acceptable (when the synchronisation isn't possible we get a dialog box which tells us this).