[Samba] Failed to establish your Kerberos Ticket cache due time differences with the domain controller

Rowland Penny rpenny at samba.org
Mon Jul 23 21:10:36 UTC 2018 

On Mon, 23 Jul 2018 21:28:15 +0100
Roy Eastwood via samba <samba at lists.samba.org> wrote:

> Thanks Louis.   Results below.
>  
> > Hai,
> > 
> > I've reading this thread more closely.
> > 
> > I suggest you try the followoing.
> > 
> > Check the servers hardware clock in the bios first.
> > Set these within 5 min, if they are not about the same.
> > 
> There no RTC in the pi;  the other DC is running in a VM with RTC set
> to UTC.   I have disabled the guest from getting the time from the
> host OS.
> 
> > Run :  dpkg-reconfigure tzdata
> > Check/set the correct timezones on both servers, and both servers
> > should show you the same date/time and (optional) zone.
> > 
> Done, both show the TZ to be correct ie Europe/London and local and
> UTC times are correct and identical on both DCs.
> 
> > Run : ntpq -p
> > Check the offset on both servers.
> Don't have ntpq (part of ntp package?) but ran chronyc sources with
> the following results:
> 
> root at pi-dc:~# chronyc sources
> 210 Number of sources = 3
> MS Name/IP address         Stratum Poll Reach LastRx Last sample
> ===============================================================================
> ^+ www.bhay.org                  2   6   377    42  -2411us[-2629us]
> +/-   14ms ^* 85.199.214.100                1   6   377    41
> +673us[ +455us] +/- 6491us ^+ 213.246.159.21                1   6
> 377    42   +340us[ +123us] +/-   16ms
> 
> root at debian-vb:~# chronyc sources
> 210 Number of sources = 3
> MS Name/IP address         Stratum Poll Reach LastRx Last sample
> ===============================================================================
> ^* 85.199.214.102                1   6   377    42   -357us[ -354us]
> +/- 7721us ^+ server1.quickdrivingtest>     1   6   377    41
> -617us[ -617us] +/- 6199us ^+ time.netweaver.uk             2   6
> 377    41   +323us[ +323us] +/-   12ms
> 
> Both DCs are configured to use the same servers (0.uk.pool.ntp.org,
> 1.uk.pool.ntp.org and 2.uk.pool.ntp.org)
> 
> > 
> > Add :  winbind refresh tickets = yes to you smb.conf
> 
> Done.
> 
> > 
> > If these are member servers, make sure you have only the server
> > lines pointed to you AD DC's.
> > If these are DC's, them make sure the both point to the same ntp
> > servers.
> 
> yes, see above
> 
> > Dont use pool servers for the AD DC's, but thats my advice.
> 
> OK, will try Stratum1 and see what happens, but for now here are the
> results so far.
> 
> > 
> > Reboot the servers, first DC with FSMO, if there are DC's involved.
> > This wil clear kerberos cache tickets and should make sure the time
> > is really set ok.
> > 
> > Login again, do have still have the time message, if yes..
> 
> No change, message still there.   Even with the other DC switched off
> (the one with FSMO roles).
> 
> > 
> > Check :
> > /etc/pam.d/common-auth
> > You should see a line like :
> > auth    [success=1 default=ignore]      pam_winbind.so krb5_auth
> > krb5_ccache_type=FILE cached_login try_first_pass
> > 
> > Change that one to
> > auth    [success=1 default=ignore]      pam_winbind.so krb5_auth
> > try_first_pass Try again, put it back again after a successull
> > login without messages.
> > 
> Done, that but still get the warning even with the shorter
> version.    Never able to logon without the warning, so put it back
> anyway. The only way I have found not to get the message is to remove
> the krb5_auth (and the other ones) completely.   But then we are not
> using Kerberos.
> 
> > When this is done.
> > Now go clear the kerberos cache.
> > Run : klist -ef
> > Check the ETYPES and Flags.
> > 
> As roy (after logging in and getting the message:
> Failed to establish your Kerberos Ticket cache due time differences
> with the domain controller.  Please verify the system time.

OK, I know where the message is coming from ;-)

samba-master/nsswitch/pam_winbind.c

line 1441

static void _pam_warn_krb5_failure(struct pwb_context *ctx,
				   const char *username,
				   uint32_t info3_user_flgs)
{
	if (PAM_WB_KRB5_CLOCK_SKEW(info3_user_flgs)) {
		_make_remark(ctx, PAM_ERROR_MSG,
			     _("Failed to establish your Kerberos Ticket cache "
			       "due time differences\n"
			       "with the domain controller.  "
			       "Please verify the system time.\n"));
		_pam_log_debug(ctx, LOG_DEBUG,
			       "User %s: Clock skew when getting Krb5 TGT\n",
			       username);
	}
}

So it looks like you must have some difference in time between the two
DC's
Try installing ntpdate on each DC and then run on each DC:

ntpdate -d -u 'FQDN of other DC'

You should get a very low 'offset', it is in seconds

Rowland

More information about the samba mailing list