SMB Session Setup Clock Skew Great Error

Parent Previous Next

SMB Session Setup Clock Skew Great Error




During SMB2 SESSION_SETUP, if Kerberos is used for authentication, the client sends a Kerberos ticket to the server.


The server validates the ticket using:


Ticket timestamp


Lifetime


Server’s clock


If the client’s and server’s clocks differ too much, the server rejects the ticket.





What KRB_AP_ERR_SKEW Means


Error Code: 0x00000036 (decimal 54)


Constant Name: KRB_AP_ERR_SKEW


Meaning: The time difference between client and server is too large.


Typical tolerance: ±5 minutes by default in Windows Active Directory.



SMB2 Full Session Flow (with Clock Skew)

Client ---------------------------- Server

  |                                  |

  | 1. NEGOTIATE Request             |

  | smb2.cmd = NEGOTIATE             |

  | smb2.flags.response = 0          |

  | Dialects: 0x0202, 0x0311        |

  | Capabilities: DFS, etc.          |

  |--------------------------------->|

  |                                  |

  | 2. NEGOTIATE Response            |

  | smb2.cmd = NEGOTIATE             |

  | smb2.flags.response = 1          |

  | Selected Dialect: 0x0311        |

  | Capabilities: DFS, Large MTU,    |

  | Leasing, Multi-channel, Encryption|

  |<---------------------------------|

  |                                  |

  | 3. SESSION_SETUP Request          |

  | smb2.cmd = SESSION_SETUP         |

  | smb2.flags.response = 0          |

  | Security Buffer: Kerberos AP-REQ |

  | (Ticket timestamp = T1)          |

  |--------------------------------->|

  |                                  |

  | 4a. SESSION_SETUP Response (Fail) |

  | smb2.cmd = SESSION_SETUP         |

  | smb2.flags.response = 1          |

  | kerberos.error_code = KRB_AP_ERR_SKEW

  | smb2.nt_status = STATUS_TIME_DIFFERENCE_AT_DC

  | (Server clock = T2, |T2-T1| > 5 min)

  |<---------------------------------|

  |                                  |

  | --> Client must resync clock and retry SESSION_SETUP

  |                                  |

  | 4b. SESSION_SETUP Request (Retry)|

  | smb2.cmd = SESSION_SETUP         |

  | smb2.flags.response = 0          |

  | Security Buffer: Kerberos AP-REQ |

  | (New ticket, correct timestamp) |

  |--------------------------------->|

  |                                  |

  | 5. SESSION_SETUP Response (Success)|

  | smb2.cmd = SESSION_SETUP         |

  | smb2.flags.response = 1          |

  | smb2.nt_status = STATUS_SUCCESS  |

  | smb2.session_id = 0x1000         |

  |<---------------------------------|

  |                                  |

  | 6. TREE_CONNECT Request           |

  | smb2.cmd = TREE_CONNECT           |

  | smb2.flags.response = 0           |

  | Share: \\server\share            |

  |--------------------------------->|

  |                                  |

  | 7. TREE_CONNECT Response          |

  | smb2.cmd = TREE_CONNECT           |

  | smb2.flags.response = 1           |

  | smb2.tree = 0x03                  |

  | smb2.nt_status = STATUS_SUCCESS   |

  |<---------------------------------|

  |                                  |

  | --> Now client can CREATE / READ / WRITE files



Key Points


NEGOTIATE: Agree on SMB dialect and server capabilities.


SESSION_SETUP: Authenticate user.


If Kerberos ticket has clock skew → fails first attempt.


After resync, client retries and succeeds.


TREE_CONNECT: Connect to a share → server assigns Tree ID.


File Operations: Client can now use CREATE, READ, WRITE using Tree ID + Session ID.

www.traceinside.com