samba - Oct 2015 - Samba4 + Bind-9.9.5: client update domain/IN denied for some hosts

Hi,

On 16/09/15 09:13, David Raison wrote:
> I have found how to request a ticket on a Linux box [0], but not when or
> how this is done on Windows clients.
> Would I have to make it rejoin the domain?
To have a follow up to this thread:

Having left and tried to rejoin the domain, I found the client was
unable to rejoin it. I got some random error message that just said it
couldn't join the domain, because "An error occurred".

In my despair, I checked the many hundred lines of the smb and bind log
files and finally a message caught my eye about time skew. Seems that
the client and the server had more than 5 minutes of time difference,
which indeed caused kerberos to deny authentication, as mentioned in the
wiki [0].

The "solution" thus was to log in with a local use account, correct
the
time and then log back out. Authentication with a domain user then works.

However, the wiki also mentions that time sync should occur by default:
> Per default, Windows clients in an Active Directory, automatically
> synchronize their time with the DC, owning the PDC emulator role. If
> you don't want to use a different source or to configure multiple time
> server, etc. you don't have to take any action.
>
>
Any ideas why some clients would decide to ignore this? Any suggestions
as to where I should look to see why time sync isn't working for some
PCs? Does anyone know whether and where Windows logs time sync events?

Best regards,
David


[0] https://wiki.samba.org/index.php/Time_syncronisation


-- 
TenTwentyFour S.à r.l.
W: www.tentwentyfour.lu
T: +352 20 211 1024
F: +352 20 211 1023
9 av. des Hauts-Fourneaux
4362 Esch-sur-Alzette

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20151005/5b46e9ce/signature.sig>