[Samba] Failed to establish your Kerberos Ticket cache due time differences with the domain controller

Sat Jul 21 19:27:45 UTC 2018

> > >
> > > Whist this is a new domain provision with v 4.8.3, the machine has
> > > had versions going back to 4.7.4 compiled and installed (albeit with
> > > different domains).  I used make uninstall on the last version of
> > > samba before installing 4.8.3 if that makes any difference.   I
> > > checked for that time.py file and it's not in that folder (or
> > > anywhere else according to find).
> > >
> > > Roy
> > >
> > >
> >
> > No, it wouldn't have been there, 4.7.4 isn't old enough.
> >
> > When you built Samba, did you have all the correct packages installed,
> > see here:
> >
> >
> https://wiki.samba.org/index.php/Package_Dependencies_Required_to_Build_
> Samba#Debian_.2F_Ubuntu

Yes, I copied the list from the WiKi (when I installed 4.7.4) but haven't reviewed it since - so if there's been additions since, that may be an issue.

> >
> > Is Apparmor installed, or a firewall ?
> >
No, neither.  Nor SELinux.

> > Rowland
> >
> 
> Another thought, could this be an authentication problem ? try adding
> '-U Administrator' and see if this helps.
> 
> Rowland

I did this and it worked OK.   Then I did it without the -U Administrator and it also worked!   I have no idea why it now works  as I haven't actually changed anything, other than issuing net cache flush.   BUT the original problem remains!   But even more confusing- see the transcript below:

login as: roy
roy at 192.168.2.4's password:
Failed to establish your Kerberos Ticket cache due time differences
with the domain controller.  Please verify the system time.

Linux pi-dc 4.14.52-v7+ #1123 SMP Wed Jun 27 17:35:49 BST 2018 armv7l

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Jul 21 19:55:43 2018 from 192.168.2.240
MICROLYNX\roy at pi-dc:~ $ samba-tool time
ldb: Unable to open tdb '/usr/local/samba/private/secrets.ldb': Permission denied
ldb: Failed to connect to '/usr/local/samba/private/secrets.ldb' with backend 'tdb': Unable to open tdb '/usr/local/samba/private/secrets.ldb': Permission denied
Could not find machine account in secrets database: Failed to fetch machine account password from secrets.ldb: Could not open secrets.ldb and failed to open /usr/local/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Thu Nov  3 17:17:15 2016 GMT
MICROLYNX\roy at pi-dc:~ $ sudo samba-tool time
[sudo] password for MICROLYNX\roy:
Failed to establish your Kerberos Ticket cache due time differences
with the domain controller.  Please verify the system time.

Sat Jul 21 20:02:24 2018 BST
MICROLYNX\roy at pi-dc:~ $ sudo samba-tool time
Sat Jul 21 20:03:08 2018 BST
MICROLYNX\roy at pi-dc:~ $

As you can see one time it fails, then it works!

So next I stopped the samba-ad-dc service on Debian-vb.   I then couldn't log in to pi-dc with my AD user.   Even restarting the service on pi-dc had no effect.   However, running pam-auth-update again, allowed me to login once more with Debian-vb off.   As such the time message disappears on login and when running samba-tool time.

Restarting the samba-ad-dc service on Debian-vb brings the error message back when logging on to pi-dc.   So I assume it's some kind of interaction between the two DCs.

I'm getting confused...:-)

Roy