[Samba] Failed to establish your Kerberos Ticket cache due time differences with the domain controller

L.P.H. van Belle belle at bazuin.nl
Mon Jul 23 06:39:17 UTC 2018 

If you chrony is using the default ntp pools, yes, you might see this. 
Try to set both servers to a few stratum 1 servers. 
Look them up here, choose 2-3 close to you.
https://support.ntp.org/bin/view/Servers/StratumOneTimeServers 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: zaterdag 21 juli 2018 13:17
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Failed to establish your Kerberos 
> Ticket cache due time differences with the domain controller
> 
> On Sat, 21 Jul 2018 11:24:47 +0100
> Roy Eastwood via samba <samba at lists.samba.org> wrote:
> 
> > From: Roy Eastwood via samba <samba at lists.samba.org>
> > To: <samba at lists.samba.org>
> > Subject: [Samba] Failed to establish your Kerberos Ticket cache due
> > time differences with the domain controller Date: Sat, 21 Jul 2018
> > 11:24:47 +0100 Reply-To: Roy Eastwood <spindles7 at gmail.com>
> > Sender: "samba" <samba-bounces at lists.samba.org>
> > X-Mailer: Microsoft Outlook 14.0
> > 
> > I have this warning message when I try to logon using a domain user
> > to the DC itself: 
> > 
> > "Failed to establish your Kerberos Ticket cache due time differences
> > with the domain controller.  Please verify the system time."
> 
> It looks like there is something wrong with your time settings, even
> though you don't think there is. Do your DC's point to themselves as
> the dns server or each other ?
> 
> > 
> > I have set up PAM using this file: /usr/share/pam-configs/winbind:
> > 
> 
> That is the debian default, which works for me ;-)
> 
> 
> > The time is correct on both DCs (I am using chrony to set time using
> > ntp).     I have two DCs: one based on Debian Stretch and one based
> > on Rasbian Stretch. Both are using Samba 4.8.3 compiled from
> > source.    Both have similar configurations.    The Debian 
> DC doesn't
> > give this warning, but the Rasbian one does;  the user is logged on
> > anyway.   If I remove the krb5 entries from the Auth lines in the
> > above file the warning disappears.      Using kinit works OK.
> > 
> > Can I ignore this warning or does it point to something 
> wrong with the
> > installation?
> 
> You have a problem, you should not ignore it. I would peer 
> very closely
> at the rpi, mainly because it doesn't have an RTC.
> 
> It may help if you posted the main conf files from both DC's
> 
> Rowland
>  
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list