[Samba] unknown authentification failure - Samba 4.0.1 pdc

bugblatterbeast samba at bugblatterbeast.de
Thu Oct 31 15:40:01 MDT 2013

Am 31.10.2013 13:30, schrieb bugblatterbeast:
> Am 31.10.2013 10:10, schrieb steve:
>> On Wed, 2013-10-30 at 22:21 +0100, bugblatterbeast wrote:
>>> I really wish, there was a way to log all the kerberos-calls and
>>> authentication-errors.
>> Hi
>> A good way is to have a look at the krb5 messages from the KDC in real
>> time.
>> Shut down all the DC's. Now restart just one of them:
>> samba -i -d3
>> Go and reproduce the problems on the problematic client. Now you will
>> see the messages _as they happen_.
>> d4, d5 etc. if you want lots of messages.
>> HTH
>> Steve
> Now we're talking... that's exactly what I was looking for. Thank you 
> very much. I'll have to wait, untill everybody finished working than I 
> will give it a try.
> bbb

Allright, problem solved.

That was exactly the hint I needed. I'm working with samba quite a 
while, but I didn't know, that there was an interactive mode. This is 
really helpful. Seems like after so many time I've spend with the 
documentation, I've never read the samba-manpage through... silly me.

Increasing the log-level gave me this information:

Kerberos: Too large time skew, client time 2013-10-31T18:46:55 is out by 
329 > 300 seconds -- myname at domain_name

I never thought about that and most likely, I would have searched 
forever.... It was so strange, that it worked on friday and didn't on 
monday. I didn't even know about this policy and so it didn't cross my 
mind, that over the weekend, we had a time-change in Germany because of 
that stupid daylight-preserving-hour. Maybe one of the 
windows-administrators changed the time of this client manually, while 
all the others where changed automatically (somehow the difference was 
5'29" and not an hour). Anyway, I'm very happy, that I can now explain, 
why that problem would have occured with a Windows-Server as well and 
ensure everybody that it was not a samba-failure and won't happen again.

Thank's a lot, to all of you, bbb

More information about the samba mailing list