[Samba] unknown authentification failure - Samba 4.0.1 pdc
samba at bugblatterbeast.de
Thu Oct 31 15:40:01 MDT 2013
Am 31.10.2013 13:30, schrieb bugblatterbeast:
> Am 31.10.2013 10:10, schrieb steve:
>> On Wed, 2013-10-30 at 22:21 +0100, bugblatterbeast wrote:
>>> I really wish, there was a way to log all the kerberos-calls and
>> A good way is to have a look at the krb5 messages from the KDC in real
>> Shut down all the DC's. Now restart just one of them:
>> samba -i -d3
>> Go and reproduce the problems on the problematic client. Now you will
>> see the messages _as they happen_.
>> d4, d5 etc. if you want lots of messages.
> Now we're talking... that's exactly what I was looking for. Thank you
> very much. I'll have to wait, untill everybody finished working than I
> will give it a try.
Allright, problem solved.
That was exactly the hint I needed. I'm working with samba quite a
while, but I didn't know, that there was an interactive mode. This is
really helpful. Seems like after so many time I've spend with the
documentation, I've never read the samba-manpage through... silly me.
Increasing the log-level gave me this information:
Kerberos: Too large time skew, client time 2013-10-31T18:46:55 is out by
329 > 300 seconds -- myname at domain_name
I never thought about that and most likely, I would have searched
forever.... It was so strange, that it worked on friday and didn't on
monday. I didn't even know about this policy and so it didn't cross my
mind, that over the weekend, we had a time-change in Germany because of
that stupid daylight-preserving-hour. Maybe one of the
windows-administrators changed the time of this client manually, while
all the others where changed automatically (somehow the difference was
5'29" and not an hour). Anyway, I'm very happy, that I can now explain,
why that problem would have occured with a Windows-Server as well and
ensure everybody that it was not a samba-failure and won't happen again.
Thank's a lot, to all of you, bbb
More information about the samba