[Samba] Failed to establish your Kerberos Ticket cache due time differences with the domain controller
Roy Eastwood
spindles7 at gmail.com
Mon Jul 23 20:28:15 UTC 2018
Thanks Louis. Results below.
> Hai,
>
> I've reading this thread more closely.
>
> I suggest you try the followoing.
>
> Check the servers hardware clock in the bios first.
> Set these within 5 min, if they are not about the same.
>
There no RTC in the pi; the other DC is running in a VM with RTC set to UTC. I have disabled the guest from getting the time from the host OS.
> Run : dpkg-reconfigure tzdata
> Check/set the correct timezones on both servers, and both servers should show
> you the same date/time and (optional) zone.
>
Done, both show the TZ to be correct ie Europe/London and local and UTC times are correct and identical on both DCs.
> Run : ntpq -p
> Check the offset on both servers.
Don't have ntpq (part of ntp package?) but ran chronyc sources with the following results:
root at pi-dc:~# chronyc sources
210 Number of sources = 3
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^+ www.bhay.org 2 6 377 42 -2411us[-2629us] +/- 14ms
^* 85.199.214.100 1 6 377 41 +673us[ +455us] +/- 6491us
^+ 213.246.159.21 1 6 377 42 +340us[ +123us] +/- 16ms
root at debian-vb:~# chronyc sources
210 Number of sources = 3
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* 85.199.214.102 1 6 377 42 -357us[ -354us] +/- 7721us
^+ server1.quickdrivingtest> 1 6 377 41 -617us[ -617us] +/- 6199us
^+ time.netweaver.uk 2 6 377 41 +323us[ +323us] +/- 12ms
Both DCs are configured to use the same servers (0.uk.pool.ntp.org, 1.uk.pool.ntp.org and 2.uk.pool.ntp.org)
>
> Add : winbind refresh tickets = yes to you smb.conf
Done.
>
> If these are member servers, make sure you have only the server lines pointed
> to you AD DC's.
> If these are DC's, them make sure the both point to the same ntp servers.
yes, see above
> Dont use pool servers for the AD DC's, but thats my advice.
OK, will try Stratum1 and see what happens, but for now here are the results so far.
>
> Reboot the servers, first DC with FSMO, if there are DC's involved.
> This wil clear kerberos cache tickets and should make sure the time is really set
> ok.
>
> Login again, do have still have the time message, if yes..
No change, message still there. Even with the other DC switched off (the one with FSMO roles).
>
> Check :
> /etc/pam.d/common-auth
> You should see a line like :
> auth [success=1 default=ignore] pam_winbind.so krb5_auth
> krb5_ccache_type=FILE cached_login try_first_pass
>
> Change that one to
> auth [success=1 default=ignore] pam_winbind.so krb5_auth try_first_pass
> Try again, put it back again after a successull login without messages.
>
Done, that but still get the warning even with the shorter version. Never able to logon without the warning, so put it back anyway.
The only way I have found not to get the message is to remove the krb5_auth (and the other ones) completely. But then we are not using Kerberos.
> When this is done.
> Now go clear the kerberos cache.
> Run : klist -ef
> Check the ETYPES and Flags.
>
As roy (after logging in and getting the message:
Failed to establish your Kerberos Ticket cache due time differences
with the domain controller. Please verify the system time.
MICROLYNX\roy at pi-dc:~ $ klist -ef
klist: No credentials cache found (filename: /tmp/krb5cc_3000022)
So generate a ticket:
MICROLYNX\roy at pi-dc:~ $ kinit roy
Password for roy at MICROLYNX.ORG:
MICROLYNX\roy at pi-dc:~ $ klist -ef
Ticket cache: FILE:/tmp/krb5cc_3000022
Default principal: roy at MICROLYNX.ORG
Valid starting Expires Service principal
23/07/18 21:25:51 24/07/18 07:25:51 krbtgt/MICROLYNX.ORG at MICROLYNX.ORG
renew until 24/07/18 21:25:48, Flags: RIA
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
>
> Now mail us back with the results.
> Above should determine if its and old kerberos cache problem or ntp problem.
>
>
> Greetz,
>
> Louis
>
Cheers,
Roy
More information about the samba
mailing list