[Samba] Failed to establish your Kerberos Ticket cache due time differences with the domain controller

Roy Eastwood spindles7 at gmail.com
Mon Jul 23 20:28:15 UTC 2018 

Thanks Louis.   Results below.
 
> Hai,
> 
> I've reading this thread more closely.
> 
> I suggest you try the followoing.
> 
> Check the servers hardware clock in the bios first.
> Set these within 5 min, if they are not about the same.
> 
There no RTC in the pi;  the other DC is running in a VM with RTC set to UTC.   I have disabled the guest from getting the time from the host OS.

> Run :  dpkg-reconfigure tzdata
> Check/set the correct timezones on both servers, and both servers should show
> you the same date/time and (optional) zone.
> 
Done, both show the TZ to be correct ie Europe/London and local and UTC times are correct and identical on both DCs.

> Run : ntpq -p
> Check the offset on both servers.
Don't have ntpq (part of ntp package?) but ran chronyc sources with the following results:

root at pi-dc:~# chronyc sources
210 Number of sources = 3
MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
^+ www.bhay.org                  2   6   377    42  -2411us[-2629us] +/-   14ms
^* 85.199.214.100                1   6   377    41   +673us[ +455us] +/- 6491us
^+ 213.246.159.21                1   6   377    42   +340us[ +123us] +/-   16ms

root at debian-vb:~# chronyc sources
210 Number of sources = 3
MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
^* 85.199.214.102                1   6   377    42   -357us[ -354us] +/- 7721us
^+ server1.quickdrivingtest>     1   6   377    41   -617us[ -617us] +/- 6199us
^+ time.netweaver.uk             2   6   377    41   +323us[ +323us] +/-   12ms

Both DCs are configured to use the same servers (0.uk.pool.ntp.org, 1.uk.pool.ntp.org and 2.uk.pool.ntp.org)

> 
> Add :  winbind refresh tickets = yes to you smb.conf

Done.

> 
> If these are member servers, make sure you have only the server lines pointed
> to you AD DC's.
> If these are DC's, them make sure the both point to the same ntp servers.

yes, see above

> Dont use pool servers for the AD DC's, but thats my advice.

OK, will try Stratum1 and see what happens, but for now here are the results so far.

> 
> Reboot the servers, first DC with FSMO, if there are DC's involved.
> This wil clear kerberos cache tickets and should make sure the time is really set
> ok.
> 
> Login again, do have still have the time message, if yes..

No change, message still there.   Even with the other DC switched off (the one with FSMO roles).

> 
> Check :
> /etc/pam.d/common-auth
> You should see a line like :
> auth    [success=1 default=ignore]      pam_winbind.so krb5_auth
> krb5_ccache_type=FILE cached_login try_first_pass
> 
> Change that one to
> auth    [success=1 default=ignore]      pam_winbind.so krb5_auth try_first_pass
> Try again, put it back again after a successull login without messages.
> 
Done, that but still get the warning even with the shorter version.    Never able to logon without the warning, so put it back anyway.   
The only way I have found not to get the message is to remove the krb5_auth (and the other ones) completely.   But then we are not using Kerberos.

> When this is done.
> Now go clear the kerberos cache.
> Run : klist -ef
> Check the ETYPES and Flags.
> 
As roy (after logging in and getting the message:
Failed to establish your Kerberos Ticket cache due time differences
with the domain controller.  Please verify the system time.
MICROLYNX\roy at pi-dc:~ $ klist -ef
klist: No credentials cache found (filename: /tmp/krb5cc_3000022)

So generate a ticket:
MICROLYNX\roy at pi-dc:~ $ kinit roy
Password for roy at MICROLYNX.ORG:
MICROLYNX\roy at pi-dc:~ $ klist -ef
Ticket cache: FILE:/tmp/krb5cc_3000022
Default principal: roy at MICROLYNX.ORG

Valid starting     Expires            Service principal
23/07/18 21:25:51  24/07/18 07:25:51  krbtgt/MICROLYNX.ORG at MICROLYNX.ORG
        renew until 24/07/18 21:25:48, Flags: RIA
        Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96

> 
> Now mail us back with the results.
> Above should determine if its and old kerberos cache problem or ntp problem.
> 
> 
> Greetz,
> 
> Louis
> 

Cheers,

Roy

More information about the samba mailing list