Description Arvid Requate 2014-04-01 18:24:04 CEST

Created attachment 5845 [details]
heimdal_1.6_KRB5KRB_AP_ERR_SKEW.patch

When joining a Windows client into UCS 3.2 Samba4 domain without pre-synchronized system clocks, the join aborts with a generic error message, indicating wrong credentials.

In contrast, when joining into a native Windows 2008R2 AD domain, the join succeeds even without pre-synchronized clocks. A wireshark trace shows that the native Windows DC simply indicates the reason of the problem to the client by returning the appropriate Kerberos error code (KRB5KRB_AP_ERR_SKEW), which causes the Windows client to adjust the Kerberos timestamp and try again. The UCS 3.2 DC returns a generic KRB5KDC_ERR_PREAUTH_REQUIRED instead, which causes the client to give up.

My feeling is that this used to work in UCS 3.1, and it seems to me that this is a regression. The reason seems to be that in UCS 3.1 we used build Samba against the samba4 internal heimdal, but in UCS 3.2 we now build it against the debian system heimdal.

More precisely the patch
  samba4/3.1-0-0-ucs/4.0.3-1-ucs3.1-1/08_configure_options.patch
which was adjusted to build against the samba4 internal heimdal in UCS 3.1 (Bug 29005), was modified in the transition to UCS 3.2 in a way that causes samba to choose the debian system heimdal instead.

Now, comparing the samba4 forked heimdal against debian heimdal 1.6 shows that both contain a comment on and a code block targeted precisely at the behaviour of windows clients in the case of a clock skew. The problem with the heimdal 1.6 code is, that it has been restructured in a way that the proper error message KRB5KRB_AP_ERR_SKEW is neglected and overwritten with the more generic error message. The attached patch fixed the problem in my quick test with a Windows client.