Univention Bugzilla – Bug 34439
Joining a Windows Client without pre-synchronized clocks
Last modified: 2014-07-17 12:19:58 CEST
Created attachment 5845 [details] heimdal_1.6_KRB5KRB_AP_ERR_SKEW.patch When joining a Windows client into UCS 3.2 Samba4 domain without pre-synchronized system clocks, the join aborts with a generic error message, indicating wrong credentials. In contrast, when joining into a native Windows 2008R2 AD domain, the join succeeds even without pre-synchronized clocks. A wireshark trace shows that the native Windows DC simply indicates the reason of the problem to the client by returning the appropriate Kerberos error code (KRB5KRB_AP_ERR_SKEW), which causes the Windows client to adjust the Kerberos timestamp and try again. The UCS 3.2 DC returns a generic KRB5KDC_ERR_PREAUTH_REQUIRED instead, which causes the client to give up. My feeling is that this used to work in UCS 3.1, and it seems to me that this is a regression. The reason seems to be that in UCS 3.1 we used build Samba against the samba4 internal heimdal, but in UCS 3.2 we now build it against the debian system heimdal. More precisely the patch samba4/3.1-0-0-ucs/4.0.3-1-ucs3.1-1/08_configure_options.patch which was adjusted to build against the samba4 internal heimdal in UCS 3.1 (Bug 29005), was modified in the transition to UCS 3.2 in a way that causes samba to choose the debian system heimdal instead. Now, comparing the samba4 forked heimdal against debian heimdal 1.6 shows that both contain a comment on and a code block targeted precisely at the behaviour of windows clients in the case of a clock skew. The problem with the heimdal 1.6 code is, that it has been restructured in a way that the proper error message KRB5KRB_AP_ERR_SKEW is neglected and overwritten with the more generic error message. The attached patch fixed the problem in my quick test with a Windows client.
A slightly improved version of the patch was sent to the heimdal-bugs list, it also applies to the current git master branch. Heimdal was rebuilt with that patch in errata3.2-1. In a quick test I was able to join my Windows 7 cleitn with a local system clock around January 2013 into a UCS 3.2-1 Samba4 DC Master with local system time set to 9th Feb 2014. The join succeeded without further ado and after rebooting the machine the system clock was synchronized automatically via NTP to the time of the master. Advisory: 2014-04-03-heimdal.yaml
Code Review: OK Tests Heimdal: OK Tests Samba4: OK YAML: OK (+ r49163)
http://errata.univention.de/ucs/3.2/85.html