From 6cf72f998b8cefbe3c67327b9a664ab704bbab55 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Sat, 4 Nov 2006 17:05:28 +0000
Subject: [PATCH] (_kdc_as_rep): More verbose time skew logging.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@18908 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 kdc/kerberos5.c | 28 +++++++++++++++++++++++++---
 1 file changed, 25 insertions(+), 3 deletions(-)

diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index 23d264873..375c071a0 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -1055,10 +1055,32 @@ _kdc_as_rep(krb5_context context,
 	    }
 	    free_PA_ENC_TS_ENC(&p);
 	    if (abs(kdc_time - p.patimestamp) > context->max_skew) {
-		ret = KRB5KDC_ERR_PREAUTH_FAILED;
+		char client_time[100];
+		
+		krb5_format_time(context, p.patimestamp, 
+				 client_time, sizeof(client_time), TRUE); 
+
+ 		ret = KRB5KRB_AP_ERR_SKEW;
+ 		kdc_log(context, config, 0,
+			"Too large time skew, "
+			"client time %s is out by %u > %u seconds -- %s", 
+			client_time, 
+			(unsigned)abs(kdc_time - p.patimestamp), 
+			context->max_skew,
+			client_name);
+#if 0
+		/* This code is from samba, needs testing */
+		/* 
+		 * the following is needed to make windows clients
+		 * to retry using the timestamp in the error message
+		 *
+		 * this is maybe a bug in windows to not trying when e_text
+		 * is present...
+		 */
+		e_text = NULL;
+#else
 		e_text = "Too large time skew";
-		kdc_log(context, config, 0,
-			"Too large time skew -- %s", client_name);
+#endif
 		goto out;
 	    }
 	    et.flags.pre_authent = 1;