[Samba] Failed to establish your Kerberos Ticket cache due time differences with the domain controller

L.P.H. van Belle belle at bazuin.nl
Mon Jul 23 07:28:37 UTC 2018 

Hai, 

I've reading this thread more closely. 

I suggest you try the followoing.

Check the servers hardware clock in the bios first.
Set these within 5 min, if they are not about the same.

Run :  dpkg-reconfigure tzdata 
Check/set the correct timezones on both servers, and both servers should show you the same date/time and (optional) zone.

Run : ntpq -p
Check the offset on both servers. 

Add :  winbind refresh tickets = yes to you smb.conf

If these are member servers, make sure you have only the server lines pointed to you AD DC's.
If these are DC's, them make sure the both point to the same ntp servers. 
Dont use pool servers for the AD DC's, but thats my advice. 

Reboot the servers, first DC with FSMO, if there are DC's involved. 
This wil clear kerberos cache tickets and should make sure the time is really set ok. 

Login again, do have still have the time message, if yes.. 

Check : 
/etc/pam.d/common-auth
You should see a line like : 
auth    [success=1 default=ignore]      pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass

Change that one to 
auth    [success=1 default=ignore]      pam_winbind.so krb5_auth try_first_pass
Try again, put it back again after a successull login without messages. 

When this is done. 
Now go clear the kerberos cache. 
Run : klist -ef
Check the ETYPES and Flags. 


Now mail us back with the results. 
Above should determine if its and old kerberos cache problem or ntp problem. 


Greetz, 

Louis




> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Roy 
> Eastwood via samba
> Verzonden: zaterdag 21 juli 2018 21:28
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Failed to establish your Kerberos 
> Ticket cache due time differences with the domain controller
> 
> > > >
> > > > Whist this is a new domain provision with v 4.8.3, the 
> machine has
> > > > had versions going back to 4.7.4 compiled and installed 
> (albeit with
> > > > different domains).  I used make uninstall on the last 
> version of
> > > > samba before installing 4.8.3 if that makes any difference.   I
> > > > checked for that time.py file and it's not in that folder (or
> > > > anywhere else according to find).
> > > >
> > > > Roy
> > > >
> > > >
> > >
> > > No, it wouldn't have been there, 4.7.4 isn't old enough.
> > >
> > > When you built Samba, did you have all the correct 
> packages installed,
> > > see here:
> > >
> > >
> > 
> https://wiki.samba.org/index.php/Package_Dependencies_Required
> _to_Build_
> > Samba#Debian_.2F_Ubuntu
> 
> Yes, I copied the list from the WiKi (when I installed 4.7.4) 
> but haven't reviewed it since - so if there's been additions 
> since, that may be an issue.
> 
> > >
> > > Is Apparmor installed, or a firewall ?
> > >
> No, neither.  Nor SELinux.
> 
> > > Rowland
> > >
> > 
> > Another thought, could this be an authentication problem ? 
> try adding
> > '-U Administrator' and see if this helps.
> > 
> > Rowland
> 
> I did this and it worked OK.   Then I did it without the -U 
> Administrator and it also worked!   I have no idea why it now 
> works  as I haven't actually changed anything, other than 
> issuing net cache flush.   BUT the original problem remains!  
>  But even more confusing- see the transcript below:
> 
> login as: roy
> roy at 192.168.2.4's password:
> Failed to establish your Kerberos Ticket cache due time differences
> with the domain controller.  Please verify the system time.
> 
> Linux pi-dc 4.14.52-v7+ #1123 SMP Wed Jun 27 17:35:49 BST 2018 armv7l
> 
> The programs included with the Debian GNU/Linux system are 
> free software;
> the exact distribution terms for each program are described in the
> individual files in /usr/share/doc/*/copyright.
> 
> Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
> permitted by applicable law.
> Last login: Sat Jul 21 19:55:43 2018 from 192.168.2.240
> MICROLYNX\roy at pi-dc:~ $ samba-tool time
> ldb: Unable to open tdb 
> '/usr/local/samba/private/secrets.ldb': Permission denied
> ldb: Failed to connect to 
> '/usr/local/samba/private/secrets.ldb' with backend 'tdb': 
> Unable to open tdb '/usr/local/samba/private/secrets.ldb': 
> Permission denied
> Could not find machine account in secrets database: Failed to 
> fetch machine account password from secrets.ldb: Could not 
> open secrets.ldb and failed to open 
> /usr/local/samba/private/secrets.tdb: 
> NT_STATUS_CANT_ACCESS_DOMAIN_INFO
> Thu Nov  3 17:17:15 2016 GMT
> MICROLYNX\roy at pi-dc:~ $ sudo samba-tool time
> [sudo] password for MICROLYNX\roy:
> Failed to establish your Kerberos Ticket cache due time differences
> with the domain controller.  Please verify the system time.
> 
> Sat Jul 21 20:02:24 2018 BST
> MICROLYNX\roy at pi-dc:~ $ sudo samba-tool time
> Sat Jul 21 20:03:08 2018 BST
> MICROLYNX\roy at pi-dc:~ $
> 
> As you can see one time it fails, then it works!
> 
> So next I stopped the samba-ad-dc service on Debian-vb.   I 
> then couldn't log in to pi-dc with my AD user.   Even 
> restarting the service on pi-dc had no effect.   However, 
> running pam-auth-update again, allowed me to login once more 
> with Debian-vb off.   As such the time message disappears on 
> login and when running samba-tool time.
> 
> Restarting the samba-ad-dc service on Debian-vb brings the 
> error message back when logging on to pi-dc.   So I assume 
> it's some kind of interaction between the two DCs.
> 
> I'm getting confused...:-)
> 
> Roy
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list