samba - Jul 2018 - Failed to establish your Kerberos Ticket cache due time differences with the domain controller

On Sat, 21 Jul 2018 12:16:42 +0100
> Rowland Penny via samba<samba at lists.samba.org> wrote:
> On Sat, 21 Jul 2018 11:24:47 +0100
> Roy Eastwood via samba <samba at lists.samba.org> wrote:
> 
> > "Failed to establish your Kerberos Ticket cache due time
differences
> > with the domain controller.  Please verify the system time."
> 
> It looks like there is something wrong with your time settings, even
> though you don't think there is. Do your DC's point to themselves
as
> the dns server or each other ?
The DC's point to themselves in /etc/resolv.conf  (in order that
samba_dnsupdate
works ok).
ie 
debian-vb (ip address 192.168.2.6) /etc/resolv,conf:
======search microilynx.org
nameserver 192.168.2.6
nameserver 192.168.2.4


pi-dc (ip address 129.168.2.4)
========search microilynx.org
nameserver 192.168.2.4
nameserver 192.168.2.6
> > Can I ignore this warning or does it point to something wrong with the
> > installation?
> 
> You have a problem, you should not ignore it. I would peer very closely
> at the rpi, mainly because it doesn't have an RTC.
> 
> It may help if you posted the main conf files from both DC's
> 
> Rowland
> 
OK, global section of smb.conf files:
>From debian-vb:
============# Global parameters
[global]
	netbios name = DEBIAN-VB
	realm = MICROLYNX.ORG
	server role = active directory domain controller
	server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
	workgroup = MICROLYNX
	idmap_ldb:use rfc2307 = yes
	wins support = no
	local master = yes
	domain master = yes
	preferred master = yes
# prevent CUPS errors in syslog
	printcap name = /dev/null
	load printers = no
# add the following two lines for testing - remove for production
	winbind enum users = yes
	winbind enum groups = yes
	template shell = /bin/bash
	template homedir = /home/%D/%U
	log file = /var/log/samba/log.samba
	log level = 1
>From pi-dc:
========# Global parameters
[global]
	netbios name = PI-DC
	realm = MICROLYNX.ORG
	server role = active directory domain controller
	server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
	workgroup = MICROLYNX
	wins support = no
	local master = no
	domain master = yes
	preferred master = no
# prevent CUPS errors in syslog
	printcap name = /dev/null
	load printers = no

# add the following two lines for testing - remove for production
	winbind enum users = yes
	winbind enum groups = yes
	
# allow AD users to log on
	template shell = /bin/bash
	template homedir = /home/%D/%U
	
	log file = /var/log/samba/samba.log
	log level = 1

/etc/chrony/chrony.conf:  is as per the Samba WiKi (with ip address changed as
appropriate and servers:0.uk.pool.ntp.org etc)

/etc/krb5/conf:
==========[libdefaults]
	default_realm = MICROLYNX.ORG
	dns_lookup_realm = false
	dns_lookup_kdc = true

I realised that the pi has no RTC, but I have now found that there's a
service
running called: fake-hwclock which I assume can be removed or disabled now that
chrony is setting the clock?   There's also a systemd-timesyncd service,
which
is enabled - I assume that should also be disabled?

Do you need any other config files?

Thanks Rowland for your help as always.

Roy

On Sat, 21 Jul 2018 14:13:45 +0100
Roy Eastwood via samba <samba at lists.samba.org> wrote:
> On Sat, 21 Jul 2018 12:16:42 +0100
> > Rowland Penny via samba<samba at lists.samba.org> wrote:
> > On Sat, 21 Jul 2018 11:24:47 +0100
> > Roy Eastwood via samba <samba at lists.samba.org> wrote:
> > 
> > > "Failed to establish your Kerberos Ticket cache due time
> > > differences with the domain controller.  Please verify the system
> > > time."
> > 
> > It looks like there is something wrong with your time settings, even
> > though you don't think there is. Do your DC's point to
themselves as
> > the dns server or each other ?
> 
> The DC's point to themselves in /etc/resolv.conf  (in order that
> samba_dnsupdate works ok).
> ie 
> debian-vb (ip address 192.168.2.6) /etc/resolv,conf:
> ======> search microilynx.org
> nameserver 192.168.2.6
> nameserver 192.168.2.4
> 
> 
> pi-dc (ip address 129.168.2.4)
> ========> search microilynx.org
> nameserver 192.168.2.4
> nameserver 192.168.2.6
> 
> > > Can I ignore this warning or does it point to something wrong
> > > with the installation?
> > 
> > You have a problem, you should not ignore it. I would peer very
> > closely at the rpi, mainly because it doesn't have an RTC.
> > 
> > It may help if you posted the main conf files from both DC's
> > 
> > Rowland
> > 
> OK, global section of smb.conf files:
> 
> From debian-vb:
> ============> # Global parameters
> [global]
> 	netbios name = DEBIAN-VB
> 	realm = MICROLYNX.ORG
> 	server role = active directory domain controller
> 	server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
> 	workgroup = MICROLYNX
> 	idmap_ldb:use rfc2307 = yes
Remove the following lines, they shouldn't be in a DC
From here: 
> 	wins support = no
> 	local master = yes
> 	domain master = yes
> 	preferred master = yes
To here.
> # prevent CUPS errors in syslog
> 	printcap name = /dev/null
> 	load printers = no
> # add the following two lines for testing - remove for production
> 	winbind enum users = yes
> 	winbind enum groups = yes
> 	template shell = /bin/bash
> 	template homedir = /home/%D/%U
> 	log file = /var/log/samba/log.samba
> 	log level = 1
> 
> From pi-dc:
> ========> # Global parameters
> [global]
> 	netbios name = PI-DC
> 	realm = MICROLYNX.ORG
> 	server role = active directory domain controller
> 	server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
> 	workgroup = MICROLYNX
As above, remove these lines
From here:
> 	wins support = no
> 	local master = no
> 	domain master = yes
> 	preferred master = no
To here.
> # prevent CUPS errors in syslog
> 	printcap name = /dev/null
> 	load printers = no
> 
> # add the following two lines for testing - remove for production
> 	winbind enum users = yes
> 	winbind enum groups = yes
> 	
> # allow AD users to log on
> 	template shell = /bin/bash
> 	template homedir = /home/%D/%U
> 	
> 	log file = /var/log/samba/samba.log
> 	log level = 1
> 
> /etc/chrony/chrony.conf:  is as per the Samba WiKi (with ip address
> changed as appropriate and servers:0.uk.pool.ntp.org etc)
Well that must be right, I wrote it ;-)
> 
> /etc/krb5/conf:
> ==========> [libdefaults]
> 	default_realm = MICROLYNX.ORG
> 	dns_lookup_realm = false
> 	dns_lookup_kdc = true
> 
> I realised that the pi has no RTC, but I have now found that there's
> a service running called: fake-hwclock which I assume can be removed
> or disabled now that chrony is setting the clock?   There's also a
> systemd-timesyncd service, which is enabled - I assume that should
> also be disabled?
If you have chrony (or ntp) running, then you don't need another time
server (I take it 'systemd-timesyncd' is a time server, wouldn't
know,
I do not use systemd)

Rowland

On 7/21/2018 3:50 PM, Rowland Penny via samba wrote:
> On Sat, 21 Jul 2018 14:13:45 +0100
> Roy Eastwood via samba <samba at lists.samba.org> wrote:
> 
>> On Sat, 21 Jul 2018 12:16:42 +0100
>>> Rowland Penny via samba<samba at lists.samba.org> wrote:
>>> On Sat, 21 Jul 2018 11:24:47 +0100
>>> Roy Eastwood via samba <samba at lists.samba.org> wrote:
>>>
>>>> "Failed to establish your Kerberos Ticket cache due time
>>>> differences with the domain controller.  Please verify the
system
>>>> time."
>>>
>>> It looks like there is something wrong with your time settings,
even
>>> though you don't think there is. Do your DC's point to
themselves as
>>> the dns server or each other ?
>>
>> The DC's point to themselves in /etc/resolv.conf  (in order that
>> samba_dnsupdate works ok).
>> ie
>> debian-vb (ip address 192.168.2.6) /etc/resolv,conf:
>> ======>> search microilynx.org
>> nameserver 192.168.2.6
>> nameserver 192.168.2.4
>>
>>
>> pi-dc (ip address 129.168.2.4)
>> ========>> search microilynx.org
>> nameserver 192.168.2.4
>> nameserver 192.168.2.6
>>
>>>> Can I ignore this warning or does it point to something wrong
>>>> with the installation?
>>>
>>> You have a problem, you should not ignore it. I would peer very
>>> closely at the rpi, mainly because it doesn't have an RTC.
>>>
>>> It may help if you posted the main conf files from both DC's
>>>
>>> Rowland
>>>
>> OK, global section of smb.conf files:
>>
>>  From debian-vb:
>> ============>> # Global parameters
>> [global]
>> 	netbios name = DEBIAN-VB
>> 	realm = MICROLYNX.ORG
>> 	server role = active directory domain controller
>> 	server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>> 	workgroup = MICROLYNX
>> 	idmap_ldb:use rfc2307 = yes
> 
> Remove the following lines, they shouldn't be in a DC
>  From here:
>> 	wins support = no
>> 	local master = yes
>> 	domain master = yes
>> 	preferred master = yes
> To here.
> 
>> # prevent CUPS errors in syslog
>> 	printcap name = /dev/null
>> 	load printers = no
>> # add the following two lines for testing - remove for production
>> 	winbind enum users = yes
>> 	winbind enum groups = yes
>> 	template shell = /bin/bash
>> 	template homedir = /home/%D/%U
>> 	log file = /var/log/samba/log.samba
>> 	log level = 1
>>
>>  From pi-dc:
>> ========>> # Global parameters
>> [global]
>> 	netbios name = PI-DC
>> 	realm = MICROLYNX.ORG
>> 	server role = active directory domain controller
>> 	server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>> 	workgroup = MICROLYNX
> 
> As above, remove these lines
>  From here:
>> 	wins support = no
>> 	local master = no
>> 	domain master = yes
>> 	preferred master = no
> To here.
> 
>> # prevent CUPS errors in syslog
>> 	printcap name = /dev/null
>> 	load printers = no
>>
>> # add the following two lines for testing - remove for production
>> 	winbind enum users = yes
>> 	winbind enum groups = yes
>> 	
>> # allow AD users to log on
>> 	template shell = /bin/bash
>> 	template homedir = /home/%D/%U
>> 	
>> 	log file = /var/log/samba/samba.log
>> 	log level = 1
>>
>> /etc/chrony/chrony.conf:  is as per the Samba WiKi (with ip address
>> changed as appropriate and servers:0.uk.pool.ntp.org etc)
> 
> Well that must be right, I wrote it ;-)
> 
>>
>> /etc/krb5/conf:
>> ==========>> [libdefaults]
>> 	default_realm = MICROLYNX.ORG
>> 	dns_lookup_realm = false
>> 	dns_lookup_kdc = true
>>
>> I realised that the pi has no RTC, but I have now found that
there's
>> a service running called: fake-hwclock which I assume can be removed
>> or disabled now that chrony is setting the clock?   There's also a
>> systemd-timesyncd service, which is enabled - I assume that should
>> also be disabled?
> 
> If you have chrony (or ntp) running, then you don't need another time
> server (I take it 'systemd-timesyncd' is a time server,
wouldn't know,
> I do not use systemd)
> 
The service 'systemd-timesyncd' is a time client and not a time server.

https://www.freedesktop.org/software/systemd/man/systemd-timesyncd.service.html

-- 
John Doe