[Samba] Clock skew and net ads join problem

Clint Sharp clint at typhoon.org
Thu May 20 09:18:38 GMT 2004 

Sahibzada Junaid Noor wrote:

>HI,
>
>   when i try to execute the kinit command on my Red
>hat 9 system with samba 3 i get the following error
>
> [root at niit125 root]# kinit junaid at NIIT.EDU.PK
> Password for junaid at NIIT.EDU.PK:
> kinit(v5): Clock skew too great while getting initial
>   credentials
>
>so how do i solve the clock skew problem cause i have
>checked the time on both of them it is the same. 
>
>the net ads join command doesnt give any error but i
>still see nothing in the active directory computers
>list
>
>also should the smbd, nmbd and winbind be running when
>i am running the commands 
>     kinit 
>      and 
>  net ads join?
>
>here is the global section of my smb.conf
>
>workgroup = MYGROUP
>server string = Samba Server
>printcap name = /etc/printcap
>load printers = yes
>log file = /var/log/samba/smbd.log
>max log size = 50
>realm = NIIT.EDU.PK
>security = ADS
>password server = 10.10.11.1(IP of the machine running
>Active directory)
>encrypt passwords = yes
>dns proxy = no
>
>And here is my krb5.conf. 
>
>[logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
> 
>  
> 
>[libdefaults]
> ticket_lifetime = 24000
> default_realm = NIIT.EDU.PK
> dns_lookup_realm = false
> dns_lookup_kdc = false
> forwardable = true
> default_tkt_enctypes = des-cbc-crc
> default_tgs_enctypes = des-cbc-crc
> 
>[realms]
> NIIT.EDU.PK = {
>  kdc = mnsvr.niit.edu.pk:88
>  admin_server = mnsvr.niit.edu.pk:749
>  default_domain = niit.edu.pk
> }
>[domain_realm]
> .niit.edu.com = NIIT.EDU.PK
> niit.edu.pk = NIIT.EDU.PK
>                                                      
>                                          
>[kdc]
> profile = /var/kerberos/krb5kdc/kdc.conf
> afs_salt = NIIT.EDU.PK
>                                                      
>                                          
>[appdefaults]
> pam = {
>   debug = false
>   ticket_lifetime = 36000
>   renew_lifetime = 36000
>   forwardable = true
>   krb4_convert = false
> }
>
>
>plz help me with the skew problem cause i have checked
>the time on both linux and domain controllers they are
>the same.
>
>also the net ads join command doesnt give any error
>but still i cannot see the machine in the AD computers
>list.
>
>and should the three samba daemons be running when i
>execute the kinit and net ads join commands?
>
>
>
>
>  
>
>=====
>
>  Sahibzada Junaid Noor  
>  Ph   #  (+92) (051) 5950 940
>  Cell #   (+92) (0333) 5223586
>  Qazi plaza,Third Floor,Commerical Market,Chaklala Scheme 3,
>  Rawalpindi
>  Islamic Republic of Pakistan 
>
>  
>
Have you verified the timezones are identical and that one isn't set to 
PM while the other is AM?  In my experience the only times I've received 
errors of this kind, either in Windows or from kerberos is when the 
timezones are set incorrectly or I had accidently set the clock to AM or 
PM when it should have been the other.  Also, are you using some sort of 
time sychronization (NTP preferably)?

Clint

More information about the samba mailing list