On Wed, 2014-08-20 at 23:51 -0500, Steve French wrote: > This is an unusual sounding issue. Any comments on this from the auth experts? > > Seems better to investigate this more if we end up enforcing a "must > be within 5 minutes" threshold instead of this patch. Have we done a > dochelp on this before? I am certainly nervous about this patch, as I've not ever seen this before. The thing that makes me feel particularly odd about this is that: In general, NTLMSSP clients don't have the server's time, and certainly don't have the domain controller's time. (That CIFS provides this does not mean we should use it, NTLMSSP is a general protocol and adding CIFS-specific hacks indicates we are understanding it wrong, in my experience). BTW, the domain controller is the only element here that could check the embedded time, but I'll grant that typically servers are better in sync with each other than this embedded device might be. The 5 mins stuff probably refers to Kerberos, which does have such a time limit. I've never seen NTLMSSP fail against windows due to clock skew. I would like to see much more investigation here before this is done, because if you just trust the server's time and if you need to, to pass a security check, you override that check. We need to understand why it is in place. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba -- To unsubscribe from this list: send the line "unsubscribe linux-cifs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
