[Samba] Failed to establish your Kerberos Ticket cache due time differences with the domain controller
Roy Eastwood
spindles7 at gmail.com
Sat Jul 21 13:13:45 UTC 2018
On Sat, 21 Jul 2018 12:16:42 +0100
> Rowland Penny via samba<samba at lists.samba.org> wrote:
> On Sat, 21 Jul 2018 11:24:47 +0100
> Roy Eastwood via samba <samba at lists.samba.org> wrote:
>
> > "Failed to establish your Kerberos Ticket cache due time differences
> > with the domain controller. Please verify the system time."
>
> It looks like there is something wrong with your time settings, even
> though you don't think there is. Do your DC's point to themselves as
> the dns server or each other ?
The DC's point to themselves in /etc/resolv.conf (in order that samba_dnsupdate
works ok).
ie
debian-vb (ip address 192.168.2.6) /etc/resolv,conf:
=======
search microilynx.org
nameserver 192.168.2.6
nameserver 192.168.2.4
pi-dc (ip address 129.168.2.4)
=========
search microilynx.org
nameserver 192.168.2.4
nameserver 192.168.2.6
> > Can I ignore this warning or does it point to something wrong with the
> > installation?
>
> You have a problem, you should not ignore it. I would peer very closely
> at the rpi, mainly because it doesn't have an RTC.
>
> It may help if you posted the main conf files from both DC's
>
> Rowland
>
OK, global section of smb.conf files:
>From debian-vb:
=============
# Global parameters
[global]
netbios name = DEBIAN-VB
realm = MICROLYNX.ORG
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
workgroup = MICROLYNX
idmap_ldb:use rfc2307 = yes
wins support = no
local master = yes
domain master = yes
preferred master = yes
# prevent CUPS errors in syslog
printcap name = /dev/null
load printers = no
# add the following two lines for testing - remove for production
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
template homedir = /home/%D/%U
log file = /var/log/samba/log.samba
log level = 1
>From pi-dc:
=========
# Global parameters
[global]
netbios name = PI-DC
realm = MICROLYNX.ORG
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
workgroup = MICROLYNX
wins support = no
local master = no
domain master = yes
preferred master = no
# prevent CUPS errors in syslog
printcap name = /dev/null
load printers = no
# add the following two lines for testing - remove for production
winbind enum users = yes
winbind enum groups = yes
# allow AD users to log on
template shell = /bin/bash
template homedir = /home/%D/%U
log file = /var/log/samba/samba.log
log level = 1
/etc/chrony/chrony.conf: is as per the Samba WiKi (with ip address changed as
appropriate and servers:0.uk.pool.ntp.org etc)
/etc/krb5/conf:
===========
[libdefaults]
default_realm = MICROLYNX.ORG
dns_lookup_realm = false
dns_lookup_kdc = true
I realised that the pi has no RTC, but I have now found that there's a service
running called: fake-hwclock which I assume can be removed or disabled now that
chrony is setting the clock? There's also a systemd-timesyncd service, which
is enabled - I assume that should also be disabled?
Do you need any other config files?
Thanks Rowland for your help as always.
Roy
More information about the samba
mailing list