Kerberos authentication and Time Skew: does not always work

Mon Sep 3 22:52:40 EDT 2007

Hi, I am using the 1.3.6 version of the MIT kerberos library on linux
for authenticating SMB-based connections using kerberos authentication.
The KDC is windows and our typical clients are Windows-based, i.e., XP,
2000, and 2003.

One issue I am having is the ability to deal with client-side clock
skew.  I have a simple program (runs on Windows) that cycles through
hundreds of different users.  When I run it against my SMB server,
approximately 50% of the connections succeed, while all the others fail
due to clock skew.

If I run this same program from the same windows-based client against a
Windows 2000 or Windows 2003 server, 100% of the connections succeed.
Looking at the network trace, the typical conversation proceeds as
follows. (Note: The client has the skewed clock; the KDC and the server
do not.  The KDC is Windows 2000.) :

client -> KDC : AS-REQ
KDC -> client : KRB-ERROR: TIME_SKEW
client -> KDC : AS-REQ
KDC -> client : AS-REP
client -> KDC : TGS-REQ for server ticket
KDC -> client : TGS-REP. Call this ticket "T1"
client -> srvr: SMB "session setup" message with ticket T1 authenticator
A1.
srvr -> client: SMB session setup response with KRB-ERROR: TIME_SKEW
client -> srvr: SMB "session setup" message with ticket T1 authenticator
A2. 
srvr -> client: SMB session setup response: SUCCESS

I noticed, in the second exchange between the client/server, the client
does not go to the KDC for a new ticket, but rather generates a
different authenticator (A2) and uses the same ticket, which the server
accepts.

When I try this same sequence against my device, I get the same client
behavior (i.e., we return TIME_SKEW, it tries again with a different
authenticator), however, the second attempt results in the same error
returned: TIME_SKEW.

The clock skew policy on the server is 5 minutes.

I understand the basic technique/theory behind allowing a client to have
skew as described in RFC 4120 and in more detail the DGT96 reference in
the RFC.  I'm not sure how much of this is already implemented in the
MIT library, whether or not there is a compile-time option I forgot to
set to get it to work, or whether or not there is a krb5.conf option I
can set, etc.

Any help is much appreciated in determining what step I ought to take
next.

thank you,
JC

--------------------------------------------------------------------------------
The information contained in this e-mail is confidential and is intended solely 
for the review of the named addressee, and in conjunction with specific Acopia 
Networks business. Any review, retransmission, dissemination or other use of, 
or taking of any action in reliance upon, this information by persons or 
entities other than the intended recipient is prohibited. If you are unable to 
treat this information accordingly, or are not the intended recipient, please 
notify us immediately by returning the e-mail to the originator.