[Samba] kinit clock skew issue from same machine as krb server

[better names]

I've been running Samba 4x on FreeBSD successfully for years with a single Active Directory domain controller but have recently added a second domain controller. The setup worked great for a few days but suddenly developed a series of permission-denied style errors and UID mapping errors on the new/second DC2 which I've been slowly working through.


My current issue which I've been trying to resolve for 2 weeks is the common kinit "Clock skew too great" message. I've tried all the obvious things and everything else I could think of.


Both DC's have their CMOS time set to the correct UTC time and the timezones under FreeBSD are both set to UTC. I've tried syncing the times in every different way I can think of - including ntpdate from DC2 using DC1 as the time source (and also syncing them both against the NIST time pool, etc.).


And as far as I can tell the dates and times are kept within a second on both machines.



So the scenario is...


Running kinit from DC1 against DC1 - Success

Running kinit from DC1 against DC2 - Success

Running kinit from DC2 against DC1 - Clock skew too great

Running kinit from DC2 against DC2 - Clock skew too great



It really doesn't seem like a time offset issue at all. Are there any other misconfigurations or issues that could produce this same error message? I


don't see how running kinit from DC2 against itself on the same machine can produce a clock skew? And as you can see, kinit works fine authenticating from the original DC1 against the new DC2 so DC1 doesn't see any sort of clock skew at all.


I've seen other people complain about this issue a few times in the archives but there's never a resolution.



I've also tried changing the 'clockskew' setting in my 'krb5.conf' file to some massive number and that doesn't seem to make a difference.


Both DC's are running Samba 4.4.8 on FreeBSD 11 with ZFS filesystem.



Any help with this would be very appreciated.