[Samba] Failed to establish your Kerberos Ticket cache due time differences with the domain controller
Roy Eastwood
spindles7 at gmail.com
Sat Jul 21 10:24:47 UTC 2018
I have this warning message when I try to logon using a domain user to the DC
itself:
"Failed to establish your Kerberos Ticket cache due time differences
with the domain controller. Please verify the system time."
I have set up PAM using this file: /usr/share/pam-configs/winbind:
Name: Winbind NT/Active Directory authentication
Default: yes
Priority: 192
Auth-Type: Primary
Auth:
[success=end default=ignore] pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login try_first_pass
Auth-Initial:
[success=end default=ignore] pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login
Account-Type: Primary
Account:
[success=end new_authtok_reqd=done default=ignore] pam_winbind.so
Password-Type: Primary
Password:
[success=end default=ignore] pam_winbind.so use_authtok
try_first_pass
Password-Initial:
[success=end default=ignore] pam_winbind.so
Session-Type: Additional
Session:
optional pam_winbind.so
The time is correct on both DCs (I am using chrony to set time using ntp). I
have two DCs: one based on Debian Stretch and one based on Rasbian Stretch.
Both are using Samba 4.8.3 compiled from source. Both have similar
configurations. The Debian DC doesn't give this warning, but the Rasbian one
does; the user is logged on anyway. If I remove the krb5 entries from the
Auth lines in the above file the warning disappears. Using kinit works OK.
Can I ignore this warning or does it point to something wrong with the
installation?
Let me know if you need more info.
Thanks,
Roy
More information about the samba
mailing list