Roy Eastwood
2018-Jul-21 10:24 UTC
[Samba] Failed to establish your Kerberos Ticket cache due time differences with the domain controller
I have this warning message when I try to logon using a domain user to the DC itself: "Failed to establish your Kerberos Ticket cache due time differences with the domain controller. Please verify the system time." I have set up PAM using this file: /usr/share/pam-configs/winbind: Name: Winbind NT/Active Directory authentication Default: yes Priority: 192 Auth-Type: Primary Auth: [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass Auth-Initial: [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login Account-Type: Primary Account: [success=end new_authtok_reqd=done default=ignore] pam_winbind.so Password-Type: Primary Password: [success=end default=ignore] pam_winbind.so use_authtok try_first_pass Password-Initial: [success=end default=ignore] pam_winbind.so Session-Type: Additional Session: optional pam_winbind.so The time is correct on both DCs (I am using chrony to set time using ntp). I have two DCs: one based on Debian Stretch and one based on Rasbian Stretch. Both are using Samba 4.8.3 compiled from source. Both have similar configurations. The Debian DC doesn't give this warning, but the Rasbian one does; the user is logged on anyway. If I remove the krb5 entries from the Auth lines in the above file the warning disappears. Using kinit works OK. Can I ignore this warning or does it point to something wrong with the installation? Let me know if you need more info. Thanks, Roy
Rowland Penny
2018-Jul-21 11:16 UTC
[Samba] Failed to establish your Kerberos Ticket cache due time differences with the domain controller
On Sat, 21 Jul 2018 11:24:47 +0100 Roy Eastwood via samba <samba at lists.samba.org> wrote:> From: Roy Eastwood via samba <samba at lists.samba.org> > To: <samba at lists.samba.org> > Subject: [Samba] Failed to establish your Kerberos Ticket cache due > time differences with the domain controller Date: Sat, 21 Jul 2018 > 11:24:47 +0100 Reply-To: Roy Eastwood <spindles7 at gmail.com> > Sender: "samba" <samba-bounces at lists.samba.org> > X-Mailer: Microsoft Outlook 14.0 > > I have this warning message when I try to logon using a domain user > to the DC itself: > > "Failed to establish your Kerberos Ticket cache due time differences > with the domain controller. Please verify the system time."It looks like there is something wrong with your time settings, even though you don't think there is. Do your DC's point to themselves as the dns server or each other ?> > I have set up PAM using this file: /usr/share/pam-configs/winbind: >That is the debian default, which works for me ;-)> The time is correct on both DCs (I am using chrony to set time using > ntp). I have two DCs: one based on Debian Stretch and one based > on Rasbian Stretch. Both are using Samba 4.8.3 compiled from > source. Both have similar configurations. The Debian DC doesn't > give this warning, but the Rasbian one does; the user is logged on > anyway. If I remove the krb5 entries from the Auth lines in the > above file the warning disappears. Using kinit works OK. > > Can I ignore this warning or does it point to something wrong with the > installation?You have a problem, you should not ignore it. I would peer very closely at the rpi, mainly because it doesn't have an RTC. It may help if you posted the main conf files from both DC's Rowland
L.P.H. van Belle
2018-Jul-23 06:39 UTC
[Samba] Failed to establish your Kerberos Ticket cache due time differences with the domain controller
If you chrony is using the default ntp pools, yes, you might see this. Try to set both servers to a few stratum 1 servers. Look them up here, choose 2-3 close to you. https://support.ntp.org/bin/view/Servers/StratumOneTimeServers Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland Penny via samba > Verzonden: zaterdag 21 juli 2018 13:17 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Failed to establish your Kerberos > Ticket cache due time differences with the domain controller > > On Sat, 21 Jul 2018 11:24:47 +0100 > Roy Eastwood via samba <samba at lists.samba.org> wrote: > > > From: Roy Eastwood via samba <samba at lists.samba.org> > > To: <samba at lists.samba.org> > > Subject: [Samba] Failed to establish your Kerberos Ticket cache due > > time differences with the domain controller Date: Sat, 21 Jul 2018 > > 11:24:47 +0100 Reply-To: Roy Eastwood <spindles7 at gmail.com> > > Sender: "samba" <samba-bounces at lists.samba.org> > > X-Mailer: Microsoft Outlook 14.0 > > > > I have this warning message when I try to logon using a domain user > > to the DC itself: > > > > "Failed to establish your Kerberos Ticket cache due time differences > > with the domain controller. Please verify the system time." > > It looks like there is something wrong with your time settings, even > though you don't think there is. Do your DC's point to themselves as > the dns server or each other ? > > > > > I have set up PAM using this file: /usr/share/pam-configs/winbind: > > > > That is the debian default, which works for me ;-) > > > > The time is correct on both DCs (I am using chrony to set time using > > ntp). I have two DCs: one based on Debian Stretch and one based > > on Rasbian Stretch. Both are using Samba 4.8.3 compiled from > > source. Both have similar configurations. The Debian > DC doesn't > > give this warning, but the Rasbian one does; the user is logged on > > anyway. If I remove the krb5 entries from the Auth lines in the > > above file the warning disappears. Using kinit works OK. > > > > Can I ignore this warning or does it point to something > wrong with the > > installation? > > You have a problem, you should not ignore it. I would peer > very closely > at the rpi, mainly because it doesn't have an RTC. > > It may help if you posted the main conf files from both DC's > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Maybe Matching Threads
- Failed to establish your Kerberos Ticket cache due time differences with the domain controller
- Failed to establish your Kerberos Ticket cache due time differences with the domain controller
- Failed to establish your Kerberos Ticket cache due time differences with the domain controller
- Failed to establish your Kerberos Ticket cache due time differences with the domain controller
- Failed to establish your Kerberos Ticket cache due time differences with the domain controller