[Samba] Failed to establish your Kerberos Ticket cache due time differences with the domain controller

Rowland Penny rpenny at samba.org
Sat Jul 21 15:20:27 UTC 2018 

On Sat, 21 Jul 2018 17:01:55 +0200
john doe via samba <samba at lists.samba.org> wrote:

> On 7/21/2018 3:50 PM, Rowland Penny via samba wrote:
> > On Sat, 21 Jul 2018 14:13:45 +0100
> > Roy Eastwood via samba <samba at lists.samba.org> wrote:
> > 
> >> On Sat, 21 Jul 2018 12:16:42 +0100
> >>> Rowland Penny via samba<samba at lists.samba.org> wrote:
> >>> On Sat, 21 Jul 2018 11:24:47 +0100
> >>> Roy Eastwood via samba <samba at lists.samba.org> wrote:
> >>>
> >>>> "Failed to establish your Kerberos Ticket cache due time
> >>>> differences with the domain controller.  Please verify the system
> >>>> time."
> >>>
> >>> It looks like there is something wrong with your time settings,
> >>> even though you don't think there is. Do your DC's point to
> >>> themselves as the dns server or each other ?
> >>
> >> The DC's point to themselves in /etc/resolv.conf  (in order that
> >> samba_dnsupdate works ok).
> >> ie
> >> debian-vb (ip address 192.168.2.6) /etc/resolv,conf:
> >> =======
> >> search microilynx.org
> >> nameserver 192.168.2.6
> >> nameserver 192.168.2.4
> >>
> >>
> >> pi-dc (ip address 129.168.2.4)
> >> =========
> >> search microilynx.org
> >> nameserver 192.168.2.4
> >> nameserver 192.168.2.6
> >>
> >>>> Can I ignore this warning or does it point to something wrong
> >>>> with the installation?
> >>>
> >>> You have a problem, you should not ignore it. I would peer very
> >>> closely at the rpi, mainly because it doesn't have an RTC.
> >>>
> >>> It may help if you posted the main conf files from both DC's
> >>>
> >>> Rowland
> >>>
> >> OK, global section of smb.conf files:
> >>
> >>  From debian-vb:
> >> =============
> >> # Global parameters
> >> [global]
> >> 	netbios name = DEBIAN-VB
> >> 	realm = MICROLYNX.ORG
> >> 	server role = active directory domain controller
> >> 	server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> >> drepl, winbindd, ntp_signd, kcc, dnsupdate
> >> 	workgroup = MICROLYNX
> >> 	idmap_ldb:use rfc2307 = yes
> > 
> > Remove the following lines, they shouldn't be in a DC
> >  From here:
> >> 	wins support = no
> >> 	local master = yes
> >> 	domain master = yes
> >> 	preferred master = yes
> > To here.
> > 
> >> # prevent CUPS errors in syslog
> >> 	printcap name = /dev/null
> >> 	load printers = no
> >> # add the following two lines for testing - remove for production
> >> 	winbind enum users = yes
> >> 	winbind enum groups = yes
> >> 	template shell = /bin/bash
> >> 	template homedir = /home/%D/%U
> >> 	log file = /var/log/samba/log.samba
> >> 	log level = 1
> >>
> >>  From pi-dc:
> >> =========
> >> # Global parameters
> >> [global]
> >> 	netbios name = PI-DC
> >> 	realm = MICROLYNX.ORG
> >> 	server role = active directory domain controller
> >> 	server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> >> drepl, winbindd, ntp_signd, kcc, dnsupdate
> >> 	workgroup = MICROLYNX
> > 
> > As above, remove these lines
> >  From here:
> >> 	wins support = no
> >> 	local master = no
> >> 	domain master = yes
> >> 	preferred master = no
> > To here.
> > 
> >> # prevent CUPS errors in syslog
> >> 	printcap name = /dev/null
> >> 	load printers = no
> >>
> >> # add the following two lines for testing - remove for production
> >> 	winbind enum users = yes
> >> 	winbind enum groups = yes
> >> 	
> >> # allow AD users to log on
> >> 	template shell = /bin/bash
> >> 	template homedir = /home/%D/%U
> >> 	
> >> 	log file = /var/log/samba/samba.log
> >> 	log level = 1
> >>
> >> /etc/chrony/chrony.conf:  is as per the Samba WiKi (with ip address
> >> changed as appropriate and servers:0.uk.pool.ntp.org etc)
> > 
> > Well that must be right, I wrote it ;-)
> > 
> >>
> >> /etc/krb5/conf:
> >> ===========
> >> [libdefaults]
> >> 	default_realm = MICROLYNX.ORG
> >> 	dns_lookup_realm = false
> >> 	dns_lookup_kdc = true
> >>
> >> I realised that the pi has no RTC, but I have now found that
> >> there's a service running called: fake-hwclock which I assume can
> >> be removed or disabled now that chrony is setting the clock?
> >> There's also a systemd-timesyncd service, which is enabled - I
> >> assume that should also be disabled?
> > 
> > If you have chrony (or ntp) running, then you don't need another
> > time server (I take it 'systemd-timesyncd' is a time server,
> > wouldn't know, I do not use systemd)
> > 
> 
> The service 'systemd-timesyncd' is a time client and not a time
> server.
> 
> https://www.freedesktop.org/software/systemd/man/systemd-timesyncd.service.html
> 

This quote from the above link "The systemd-timesyncd service
specifically implements only SNTP", means it isn't any good for a DC.

Rowland

More information about the samba mailing list