[Samba] Failed to establish your Kerberos Ticket cache due time differences with the domain controller
L.P.H. van Belle
belle at bazuin.nl
Mon Jul 23 06:39:17 UTC 2018
If you chrony is using the default ntp pools, yes, you might see this.
Try to set both servers to a few stratum 1 servers.
Look them up here, choose 2-3 close to you.
https://support.ntp.org/bin/view/Servers/StratumOneTimeServers
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Rowland Penny via samba
> Verzonden: zaterdag 21 juli 2018 13:17
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Failed to establish your Kerberos
> Ticket cache due time differences with the domain controller
>
> On Sat, 21 Jul 2018 11:24:47 +0100
> Roy Eastwood via samba <samba at lists.samba.org> wrote:
>
> > From: Roy Eastwood via samba <samba at lists.samba.org>
> > To: <samba at lists.samba.org>
> > Subject: [Samba] Failed to establish your Kerberos Ticket cache due
> > time differences with the domain controller Date: Sat, 21 Jul 2018
> > 11:24:47 +0100 Reply-To: Roy Eastwood <spindles7 at gmail.com>
> > Sender: "samba" <samba-bounces at lists.samba.org>
> > X-Mailer: Microsoft Outlook 14.0
> >
> > I have this warning message when I try to logon using a domain user
> > to the DC itself:
> >
> > "Failed to establish your Kerberos Ticket cache due time differences
> > with the domain controller. Please verify the system time."
>
> It looks like there is something wrong with your time settings, even
> though you don't think there is. Do your DC's point to themselves as
> the dns server or each other ?
>
> >
> > I have set up PAM using this file: /usr/share/pam-configs/winbind:
> >
>
> That is the debian default, which works for me ;-)
>
>
> > The time is correct on both DCs (I am using chrony to set time using
> > ntp). I have two DCs: one based on Debian Stretch and one based
> > on Rasbian Stretch. Both are using Samba 4.8.3 compiled from
> > source. Both have similar configurations. The Debian
> DC doesn't
> > give this warning, but the Rasbian one does; the user is logged on
> > anyway. If I remove the krb5 entries from the Auth lines in the
> > above file the warning disappears. Using kinit works OK.
> >
> > Can I ignore this warning or does it point to something
> wrong with the
> > installation?
>
> You have a problem, you should not ignore it. I would peer
> very closely
> at the rpi, mainly because it doesn't have an RTC.
>
> It may help if you posted the main conf files from both DC's
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list