[Samba] "Ticket not yet valid" message in log

Andrew Bartlett abartlet at samba.org
Sat Jan 10 03:31:15 GMT 2004

On Fri, Jan 09, 2004 at 12:17:02PM +1000, Peter McFarlane wrote:
> Hi,
> I'm having a problem with Samba 3 in AD mode. For some reason, the first
> time (usually first thing in the morning) a user tries to map a drive to
> my samba 3 server, the log shows a message "Ticket not yet valid". The
> user is prompted for username/password (they've already logged on to the
> windows domain, so they shouldn't be prompted.
> The user then waits for a minute or so, tries again, and the drive is
> mapped ok. Subsequent browses or mappings work for the rest of the day.
> Something seems to expire over night - next morning, first attempt to
> browse or map a drive will prompt user for password. If they cancel,
> wait a minute or so, next time it's ok.
> Unfortunately, there are some processes on other windows servers which
> map drives on the samba server without user intervention - their first
> attempt fails, which is a big problem - an administrator has to check if
> the connection(s) worked or not.

> The Samba 3.0.0 is compiled on AIX 4.3.3 ML 9, with Kerberos 1.3.1,
> OpenLDAP  2.1.22, libiconv 1.9.1 and Berkeley DB 4.1.25.
> AD is 2003 mixed mode.
> Any help on why this is happening (or where to look) would be much
> appreciated.

Configure your server to use the DC as a time source, probably using
NTP.  Then, for compleatness, aim your DC at a valid internet time
server.  This should fix your issues, as kerberos assumes a
syncronised clock.

Andrew Bartlett

More information about the samba mailing list