RE: [Samba] Samba kerberos more time sensitive that Windows?
quote from=Gerald (Jerry) Carter Jason Haar wrote: Hi there We just had a problem where a user couldn't connect to a Samba server that is a full ADS member. The same user could successfully connect to Windows2K3 servers. The problem was obvious - their clock was 5 hours out, and Samba rejected their connections with a Failed to verify incoming ticket. Correcting the time fixed the fault. However, it remains that Samba rejected them when Windows servers didn't. Is that an option that can be enabled? Anything that makes Samba look more like Windows is a Good Thing (even if it violates the entire point of Kerberos! ;-) Windows client apparently adjust their clocks based on the CLOCK_SKEW error returned in the negprot response. It's hard for us in this cases since we are not the OS. /quote Not quite. Basically, in the krb5 error, the Windows server sends back a server time to the client. The client uses this time to re-issue the krb5 auth request with a new authenticator generated using the server time. This is not subject to man-in-the-middle. So, IIRC, the fundamental issue is that the Samba server's krb5 response does not include its time information. This came up on the list last September: http://lists.samba.org/archive/samba/2006-September/125610.html Which pointed to a response on the kerberos list: http://mailman.mit.edu/pipermail/kerberos/2006-September/010482.html - Danilo -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba kerberos more time sensitive that Windows?
Hello That host was a Dell laptop - not VMWare - and even had SNTP set on it. It's clock was out - triggering the problem. As to why it's clock drifted off - we have no idea. NTP is only for small time diferences ... There are a lot of explanations. Strangely enough, after it was rebooted, the problem went away. IT Helpdesks around the world know that phrase: try rebooting... ;-) Maybe you have another time sync while boot the machine. Luf -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba kerberos more time sensitive that Windows?
On Wed, Mar 21, 2007 at 10:11:41AM +1200, Jason Haar wrote: FYI we just had a similar problem with an XP-SP2 client. Their clock was out and Samba rejected their advances :-) That host was a Dell laptop - not VMWare - and even had SNTP set on it. It's clock was out - triggering the problem. As to why it's clock drifted off - we have no idea. Strangely enough, after it was rebooted, the problem went away. IT Helpdesks around the world know that phrase: try rebooting... ;-) I'm hoping Todd from Isilon can confirm if Windows servers ignore clock skew, as I know he worked on their krb5 code :-). Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba kerberos more time sensitive that Windows?
FYI we just had a similar problem with an XP-SP2 client. Their clock was out and Samba rejected their advances :-) That host was a Dell laptop - not VMWare - and even had SNTP set on it. It's clock was out - triggering the problem. As to why it's clock drifted off - we have no idea. Strangely enough, after it was rebooted, the problem went away. IT Helpdesks around the world know that phrase: try rebooting... ;-) Jason Jeremy Allison wrote: It truely is a strange case. I find that if I change the clock on the client and log in it re-syncs the time from the DC and all connections to servers work (as you'd expect with the correct time). -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba kerberos more time sensitive that Windows?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jason Haar wrote: Hi there We just had a problem where a user couldn't connect to a Samba server that is a full ADS member. The same user could successfully connect to Windows2K3 servers. The problem was obvious - their clock was 5 hours out, and Samba rejected their connections with a Failed to verify incoming ticket. Correcting the time fixed the fault. However, it remains that Samba rejected them when Windows servers didn't. Is that an option that can be enabled? Anything that makes Samba look more like Windows is a Good Thing (even if it violates the entire point of Kerberos! ;-) Windows client apparently adjust their clocks based on the CLOCK_SKEW error returned in the negprot response. It's hard for us in this cases since we are not the OS. My recommendation is to setup ntpd to use the AD DCs as the time servers. cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD4DBQFF+VOsIR7qMdg1EfYRAlk/AJdnirAAVBj5kOn6QkdXuQceKl6LAKCTIADN CFeqics6bhbuuZ6lycQU7w== =qh18 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba kerberos more time sensitive that Windows?
On Thu, Mar 15, 2007 at 09:09:48AM -0500, Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jason Haar wrote: Hi there We just had a problem where a user couldn't connect to a Samba server that is a full ADS member. The same user could successfully connect to Windows2K3 servers. The problem was obvious - their clock was 5 hours out, and Samba rejected their connections with a Failed to verify incoming ticket. Correcting the time fixed the fault. However, it remains that Samba rejected them when Windows servers didn't. Is that an option that can be enabled? Anything that makes Samba look more like Windows is a Good Thing (even if it violates the entire point of Kerberos! ;-) Windows client apparently adjust their clocks based on the CLOCK_SKEW error returned in the negprot response. It's hard for us in this cases since we are not the OS. Do you mean the CLOCK_SKEW returned in the SessionsetupX call ? If so I'm testing a patch that will allow smbd to return the same error Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba kerberos more time sensitive that Windows?
Jeremy Allison wrote: On Thu, Mar 15, 2007 at 09:09:48AM -0500, Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jason Haar wrote: Hi there We just had a problem where a user couldn't connect to a Samba server that is a full ADS member. The same user could successfully connect to Windows2K3 servers. The problem was obvious - their clock was 5 hours out, and Samba rejected their connections with a Failed to verify incoming ticket. Correcting the time fixed the fault. However, it remains that Samba rejected them when Windows servers didn't. Is that an option that can be enabled? Anything that makes Samba look more like Windows is a Good Thing (even if it violates the entire point of Kerberos! ;-) Windows client apparently adjust their clocks based on the CLOCK_SKEW error returned in the negprot response. It's hard for us in this cases since we are not the OS. Do you mean the CLOCK_SKEW returned in the SessionsetupX call ? If so I'm testing a patch that will allow smbd to return the same error I'm also finishing up a patch to always get the NT_STATUS codes out of the KRB_ERROR packets directly (in that case is NT_STATUS_TIME_DIFFERENCE_AT_DC). Will work only for Heimdal currently though... Guenther -- Günther DeschnerGPG-ID: 8EE11688 Red Hat [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba kerberos more time sensitive that Windows?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jeremy Allison wrote: Do you mean the CLOCK_SKEW returned in the SessionsetupX call ? If so I'm testing a patch that will allow smbd to return the same error I'd have to go back and check traces again. It's been a while since I looked at it. Is you patch assuming then that the Samba server has correct time and the client does not? I think the original problem was that the Samba server's clock was off. Windows servers sync their clocks with the DC automatically. So I'm not sure you want Samba telling the Windows client to reset its clock by 5 hours. Maybe smbd should just implement ntpd :-) Or maybe we should just document that admins needs to have a working ntpd installation. Just food for thought. This is pretty similar to my discussion with Volker on samba-technical about the fine line between Samba and the OS. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF+W8oIR7qMdg1EfYRAoLdAKDdCiINDmaXKDbSotek90LZDV0rfwCg3Wt9 RsdYItyIdb+c3VCl0H/dtcg= =oZAj -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba kerberos more time sensitive that Windows?
On Thu, Mar 15, 2007 at 11:07:04AM -0500, Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jeremy Allison wrote: Do you mean the CLOCK_SKEW returned in the SessionsetupX call ? If so I'm testing a patch that will allow smbd to return the same error I'd have to go back and check traces again. It's been a while since I looked at it. Is you patch assuming then that the Samba server has correct time and the client does not? I think the original problem was that the Samba server's clock was off. No I checked with Jason. The client is off in his case. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba kerberos more time sensitive that Windows?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jeremy Allison wrote: On Thu, Mar 15, 2007 at 11:07:04AM -0500, Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jeremy Allison wrote: Do you mean the CLOCK_SKEW returned in the SessionsetupX call ? If so I'm testing a patch that will allow smbd to return the same error I'd have to go back and check traces again. It's been a while since I looked at it. Is you patch assuming then that the Samba server has correct time and the client does not? I think the original problem was that the Samba server's clock was off. No I checked with Jason. The client is off in his case. Ahh...gotcha. jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF+XA/IR7qMdg1EfYRAm3iAKC4ZjNNzDkdUanQ+O5DZ2BV5UECpwCeMaG3 8rzd9ohEyNwaATK1w0NwA/A= =+PqX -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba kerberos more time sensitive that Windows?
Jeremy Allison wrote: I'd have to go back and check traces again. It's been a while since I looked at it. Is you patch assuming then that the Samba server has correct time and the client does not? I think the original problem was that the Samba server's clock was off. No I checked with Jason. The client is off in his case. It was a Win2K3 client with its clock hours off connecting to a Samba server (with Win2K3 domain controllers at the back end) - with correct clocks. It was a nasty case. The problem was that it was a CentOS4 server running Win2K3 as as virtual server under VMware. There is a bug/issue between current vmware-server instances and 2.6.9* series Linux kernels that means VMware can't emulate time signals(?) correctly. End result was that even though the Win2K3 client had a ntp agent installed, it was unable to keep it's clock in sync. We also have an identical issue with running virtual Linux in the same environment. The syslog is filled with ntp errors about being unable to slew the clock. So we're going to run VMware under Fedora instead - at least that kernel is less than 2 years old ;-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba kerberos more time sensitive that Windows?
On Fri, Mar 16, 2007 at 07:47:12AM +1300, Jason Haar wrote: It was a Win2K3 client with its clock hours off connecting to a Samba server (with Win2K3 domain controllers at the back end) - with correct clocks. It was a nasty case. The problem was that it was a CentOS4 server running Win2K3 as as virtual server under VMware. There is a bug/issue between current vmware-server instances and 2.6.9* series Linux kernels that means VMware can't emulate time signals(?) correctly. End result was that even though the Win2K3 client had a ntp agent installed, it was unable to keep it's clock in sync. We also have an identical issue with running virtual Linux in the same environment. The syslog is filled with ntp errors about being unable to slew the clock. So we're going to run VMware under Fedora instead - at least that kernel is less than 2 years old ;-) It truely is a strange case. I find that if I change the clock on the client and log in it re-syncs the time from the DC and all connections to servers work (as you'd expect with the correct time). If I log in then change the client time and then attach to the Samba server it fails to login (interal logs show clock-skew errors). I can make the server return this error to the client and the client then displays the message This servers' clock is not synchronized with the primary domain controller's clock, which I think is an improvement (although not accurate as it's the client's clock that is wrong). This is the code I'm going to check in for 3.0.25 as it gives a much clearer error message to a user than login denied. I'm guessing that once the client has logged in and got a TGT it believes it's time must always be correct or it wouldn't have got the initial TGT. The interesting sessionsetup shenanigans I see in the trace you sent me only seem to happen when the client is connecting to the DC. I'm guessing it's that connection with the embedded krb5 error returned containing the CLOCK SKEW error (containing the DC's current time) is what causes the client to re-sync the time on login. As we're not yet able in Samba3 to be a KDC the client will not accept that error message on sessionsetup from us (it just displays the standard bad username or password and terminates the connection) but I'm going to leave the code in place (#ifdef'ed out) so we can turn this on once we're truely running as a KDC. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba kerberos more time sensitive that Windows?
Jeremy Allison wrote: It truely is a strange case. I find that if I change the clock on the client and log in it re-syncs the time from the DC and all connections to servers work (as you'd expect with the correct time). If I log in then change the client time and then attach to the Samba server it fails to login (interal logs show clock-skew errors). That is our situation. Whatever this VMware bug is, it is stopping the virtualized OS from slewing the time. So I'd guess the OS fails to be able to re-sync against the DC, and so it fails later when it tries connecting to the Samba server. However (as mentioned in my original mail), this problem doesn't appear to affect Win2K3 servers - only Samba. As mentioned, this problem is really a VMware problem, so we're off fixing the cause - but I think it's always a good idea to make Samba look more like a Windows server - even if it means handling such a hare-brained situation. But - that's easy for me to say :-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba kerberos more time sensitive that Windows?
On Fri, Mar 16, 2007 at 08:58:19AM +1300, Jason Haar wrote: That is our situation. Whatever this VMware bug is, it is stopping the virtualized OS from slewing the time. So I'd guess the OS fails to be able to re-sync against the DC, and so it fails later when it tries connecting to the Samba server. However (as mentioned in my original mail), this problem doesn't appear to affect Win2K3 servers - only Samba. As mentioned, this problem is really a VMware problem, so we're off fixing the cause - but I think it's always a good idea to make Samba look more like a Windows server - even if it means handling such a hare-brained situation. But - that's easy for me to say :-) The only way Windows servers could be handling this situation is to ignore clock-skew errors on incoming AP_REQ messages. I actually believe they're doing this, and I can't let Samba do the same. I've improved the error message for 3.0.25 so if Samba fails a login due to clock skew the client at least gets an error message to this effect. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba kerberos more time sensitive that Windows?
On Fri, Mar 16, 2007 at 08:58:19AM +1300, Jason Haar wrote: Jeremy Allison wrote: It truely is a strange case. I find that if I change the clock on the client and log in it re-syncs the time from the DC and all connections to servers work (as you'd expect with the correct time). If I log in then change the client time and then attach to the Samba server it fails to login (interal logs show clock-skew errors). That is our situation. Whatever this VMware bug is, it is stopping the virtualized OS from slewing the time. So I'd guess the OS fails to be able to re-sync against the DC, and so it fails later when it tries connecting to the Samba server. However (as mentioned in my original mail), this problem doesn't appear to affect Win2K3 servers - only Samba. As mentioned, this problem is really a VMware problem, so we're off fixing the cause - but I think it's always a good idea to make Samba look more like a Windows server - even if it means handling such a hare-brained situation. But - that's easy for me to say :-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 Jason, We had similar problems with NTP running on a guest VM. The knowledge base said to use NTP on the host machine and vmtools (the guest machine tools) on the guest to sync its time with the host. Otherwise we had many, many load related timing problems with the guest machines. Ken -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba kerberos more time sensitive that Windows?
Jeremy Allison wrote: The only way Windows servers could be handling this situation is to ignore clock-skew errors on incoming AP_REQ messages. I actually believe they're doing this, and I can't let Samba do the same. I suspected Windows was ignoring clock-slew events. Doesn't that mean Active Directory's Kerberos is susceptible to man-in-the-middle attacks then? :-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba kerberos more time sensitive that Windows?
On Fri, Mar 16, 2007 at 09:32:26AM +1300, Jason Haar wrote: Jeremy Allison wrote: The only way Windows servers could be handling this situation is to ignore clock-skew errors on incoming AP_REQ messages. I actually believe they're doing this, and I can't let Samba do the same. I suspected Windows was ignoring clock-slew events. Doesn't that mean Active Directory's Kerberos is susceptible to man-in-the-middle attacks then? :-) Possibly not if they're using a replay cache. But I'm not an expert so -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba kerberos more time sensitive that Windows?
On Tue, Mar 13, 2007 at 11:50:14AM +1300, Jason Haar wrote: Hi there We just had a problem where a user couldn't connect to a Samba server that is a full ADS member. The same user could successfully connect to Windows2K3 servers. The problem was obvious - their clock was 5 hours out, and Samba rejected their connections with a Failed to verify incoming ticket. Correcting the time fixed the fault. However, it remains that Samba rejected them when Windows servers didn't. Is that an option that can be enabled? Anything that makes Samba look more like Windows is a Good Thing (even if it violates the entire point of Kerberos! ;-) We need to know what the Windows server did in this case ? Did it give an error message that caused the client to fall back to an NTLM auth ? A capture trace would help here Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba