[Samba] Failed to establish your Kerberos Ticket cache due time differences with the domain controller
Rowland Penny
rpenny at samba.org
Sat Jul 21 13:50:19 UTC 2018
On Sat, 21 Jul 2018 14:13:45 +0100
Roy Eastwood via samba <samba at lists.samba.org> wrote:
> On Sat, 21 Jul 2018 12:16:42 +0100
> > Rowland Penny via samba<samba at lists.samba.org> wrote:
> > On Sat, 21 Jul 2018 11:24:47 +0100
> > Roy Eastwood via samba <samba at lists.samba.org> wrote:
> >
> > > "Failed to establish your Kerberos Ticket cache due time
> > > differences with the domain controller. Please verify the system
> > > time."
> >
> > It looks like there is something wrong with your time settings, even
> > though you don't think there is. Do your DC's point to themselves as
> > the dns server or each other ?
>
> The DC's point to themselves in /etc/resolv.conf (in order that
> samba_dnsupdate works ok).
> ie
> debian-vb (ip address 192.168.2.6) /etc/resolv,conf:
> =======
> search microilynx.org
> nameserver 192.168.2.6
> nameserver 192.168.2.4
>
>
> pi-dc (ip address 129.168.2.4)
> =========
> search microilynx.org
> nameserver 192.168.2.4
> nameserver 192.168.2.6
>
> > > Can I ignore this warning or does it point to something wrong
> > > with the installation?
> >
> > You have a problem, you should not ignore it. I would peer very
> > closely at the rpi, mainly because it doesn't have an RTC.
> >
> > It may help if you posted the main conf files from both DC's
> >
> > Rowland
> >
> OK, global section of smb.conf files:
>
> From debian-vb:
> =============
> # Global parameters
> [global]
> netbios name = DEBIAN-VB
> realm = MICROLYNX.ORG
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
> workgroup = MICROLYNX
> idmap_ldb:use rfc2307 = yes
Remove the following lines, they shouldn't be in a DC
From here:
> wins support = no
> local master = yes
> domain master = yes
> preferred master = yes
To here.
> # prevent CUPS errors in syslog
> printcap name = /dev/null
> load printers = no
> # add the following two lines for testing - remove for production
> winbind enum users = yes
> winbind enum groups = yes
> template shell = /bin/bash
> template homedir = /home/%D/%U
> log file = /var/log/samba/log.samba
> log level = 1
>
> From pi-dc:
> =========
> # Global parameters
> [global]
> netbios name = PI-DC
> realm = MICROLYNX.ORG
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
> workgroup = MICROLYNX
As above, remove these lines
From here:
> wins support = no
> local master = no
> domain master = yes
> preferred master = no
To here.
> # prevent CUPS errors in syslog
> printcap name = /dev/null
> load printers = no
>
> # add the following two lines for testing - remove for production
> winbind enum users = yes
> winbind enum groups = yes
>
> # allow AD users to log on
> template shell = /bin/bash
> template homedir = /home/%D/%U
>
> log file = /var/log/samba/samba.log
> log level = 1
>
> /etc/chrony/chrony.conf: is as per the Samba WiKi (with ip address
> changed as appropriate and servers:0.uk.pool.ntp.org etc)
Well that must be right, I wrote it ;-)
>
> /etc/krb5/conf:
> ===========
> [libdefaults]
> default_realm = MICROLYNX.ORG
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> I realised that the pi has no RTC, but I have now found that there's
> a service running called: fake-hwclock which I assume can be removed
> or disabled now that chrony is setting the clock? There's also a
> systemd-timesyncd service, which is enabled - I assume that should
> also be disabled?
If you have chrony (or ntp) running, then you don't need another time
server (I take it 'systemd-timesyncd' is a time server, wouldn't know,
I do not use systemd)
Rowland
More information about the samba
mailing list