[Samba] Failed to establish your Kerberos Ticket cache due time differences with the domain controller

[Rowland Penny]

On Sat, 21 Jul 2018 11:24:47 +0100
Roy Eastwood via samba <samba at lists.samba.org> wrote:

> From: Roy Eastwood via samba <samba at lists.samba.org>
> To: <samba at lists.samba.org>
> Subject: [Samba] Failed to establish your Kerberos Ticket cache due
> time differences with the domain controller Date: Sat, 21 Jul 2018
> 11:24:47 +0100 Reply-To: Roy Eastwood <spindles7 at gmail.com>
> Sender: "samba" <samba-bounces at lists.samba.org>
> X-Mailer: Microsoft Outlook 14.0
> 
> I have this warning message when I try to logon using a domain user
> to the DC itself: 
> 
> "Failed to establish your Kerberos Ticket cache due time differences
> with the domain controller.  Please verify the system time."

It looks like there is something wrong with your time settings, even
though you don't think there is. Do your DC's point to themselves as
the dns server or each other ?

> 
> I have set up PAM using this file: /usr/share/pam-configs/winbind:
> 

That is the debian default, which works for me ;-)


> The time is correct on both DCs (I am using chrony to set time using
> ntp).     I have two DCs: one based on Debian Stretch and one based
> on Rasbian Stretch. Both are using Samba 4.8.3 compiled from
> source.    Both have similar configurations.    The Debian DC doesn't
> give this warning, but the Rasbian one does;  the user is logged on
> anyway.   If I remove the krb5 entries from the Auth lines in the
> above file the warning disappears.      Using kinit works OK.
> 
> Can I ignore this warning or does it point to something wrong with the
> installation?

You have a problem, you should not ignore it. I would peer very closely
at the rpi, mainly because it doesn't have an RTC.

It may help if you posted the main conf files from both DC's

Rowland