Jeremy Allison wrote:
On Thu, Mar 15, 2007 at 09:09:48AM -0500, Gerald (Jerry) Carter wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jason Haar wrote:
Hi there
We just had a problem where a user couldn't connect to a Samba server
that is a full ADS member. The same user could successfully connect to
Windows2K3 servers.
The problem was obvious - their clock was 5 hours out, and Samba
rejected their connections with a "Failed to verify incoming ticket".
Correcting the time fixed the fault. However, it remains that Samba
rejected them when Windows servers didn't.
Is that an option that can be enabled? Anything that makes Samba look
more like Windows is a Good Thing (even if it violates the entire point
of Kerberos! ;-)
Windows client apparently adjust their clocks based on the
CLOCK_SKEW error returned in the negprot response. It's hard
for us in this cases since we are not the OS.
Do you mean the CLOCK_SKEW returned in the SessionsetupX
call ? If so I'm testing a patch that will allow smbd
to return the same error....
I'm also finishing up a patch to always get the NT_STATUS codes out of
the KRB_ERROR packets directly (in that case is
NT_STATUS_TIME_DIFFERENCE_AT_DC). Will work only for Heimdal currently
though...
Guenther
--
Günther Deschner GPG-ID: 8EE11688
Red Hat [EMAIL PROTECTED]
Samba Team [EMAIL PROTECTED]
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
