samba - Jul 2018 - Failed to establish your Kerberos Ticket cache due time differences with the domain controller

I have this warning message when I try to logon using a domain user to the DC
itself: 

"Failed to establish your Kerberos Ticket cache due time differences
with the domain controller.  Please verify the system time."

I have set up PAM using this file: /usr/share/pam-configs/winbind:

Name: Winbind NT/Active Directory authentication
Default: yes
Priority: 192
Auth-Type: Primary
Auth:
	[success=end default=ignore]	pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login try_first_pass
Auth-Initial:
	[success=end default=ignore]	pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login
Account-Type: Primary
Account:
	[success=end new_authtok_reqd=done default=ignore]	pam_winbind.so
Password-Type: Primary
Password:
	[success=end default=ignore]	pam_winbind.so use_authtok
try_first_pass
Password-Initial:
	[success=end default=ignore]	pam_winbind.so
Session-Type: Additional
Session:
	optional			pam_winbind.so

The time is correct on both DCs (I am using chrony to set time using ntp).     I
have two DCs: one based on Debian Stretch and one based on Rasbian Stretch.
Both are using Samba 4.8.3 compiled from source.    Both have similar
configurations.    The Debian DC doesn't give this warning, but the Rasbian
one
does;  the user is logged on anyway.   If I remove the krb5 entries from the
Auth lines in the above file the warning disappears.      Using kinit works OK.

Can I ignore this warning or does it point to something wrong with the
installation?

Let me know if you need more info.

Thanks,

Roy

On Sat, 21 Jul 2018 11:24:47 +0100
Roy Eastwood via samba <samba at lists.samba.org> wrote:
> From: Roy Eastwood via samba <samba at lists.samba.org>
> To: <samba at lists.samba.org>
> Subject: [Samba] Failed to establish your Kerberos Ticket cache due
> time differences with the domain controller Date: Sat, 21 Jul 2018
> 11:24:47 +0100 Reply-To: Roy Eastwood <spindles7 at gmail.com>
> Sender: "samba" <samba-bounces at lists.samba.org>
> X-Mailer: Microsoft Outlook 14.0
> 
> I have this warning message when I try to logon using a domain user
> to the DC itself: 
> 
> "Failed to establish your Kerberos Ticket cache due time differences
> with the domain controller.  Please verify the system time."
It looks like there is something wrong with your time settings, even
though you don't think there is. Do your DC's point to themselves as
the dns server or each other ?
> 
> I have set up PAM using this file: /usr/share/pam-configs/winbind:
> 
That is the debian default, which works for me ;-)

> The time is correct on both DCs (I am using chrony to set time using
> ntp).     I have two DCs: one based on Debian Stretch and one based
> on Rasbian Stretch. Both are using Samba 4.8.3 compiled from
> source.    Both have similar configurations.    The Debian DC doesn't
> give this warning, but the Rasbian one does;  the user is logged on
> anyway.   If I remove the krb5 entries from the Auth lines in the
> above file the warning disappears.      Using kinit works OK.
> 
> Can I ignore this warning or does it point to something wrong with the
> installation?
You have a problem, you should not ignore it. I would peer very closely
at the rpi, mainly because it doesn't have an RTC.

It may help if you posted the main conf files from both DC's

Rowland

If you chrony is using the default ntp pools, yes, you might see this. 
Try to set both servers to a few stratum 1 servers. 
Look them up here, choose 2-3 close to you.
https://support.ntp.org/bin/view/Servers/StratumOneTimeServers 

Greetz, 

Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: zaterdag 21 juli 2018 13:17
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Failed to establish your Kerberos 
> Ticket cache due time differences with the domain controller
> 
> On Sat, 21 Jul 2018 11:24:47 +0100
> Roy Eastwood via samba <samba at lists.samba.org> wrote:
> 
> > From: Roy Eastwood via samba <samba at lists.samba.org>
> > To: <samba at lists.samba.org>
> > Subject: [Samba] Failed to establish your Kerberos Ticket cache due
> > time differences with the domain controller Date: Sat, 21 Jul 2018
> > 11:24:47 +0100 Reply-To: Roy Eastwood <spindles7 at gmail.com>
> > Sender: "samba" <samba-bounces at lists.samba.org>
> > X-Mailer: Microsoft Outlook 14.0
> > 
> > I have this warning message when I try to logon using a domain user
> > to the DC itself: 
> > 
> > "Failed to establish your Kerberos Ticket cache due time
differences
> > with the domain controller.  Please verify the system time."
> 
> It looks like there is something wrong with your time settings, even
> though you don't think there is. Do your DC's point to themselves
as
> the dns server or each other ?
> 
> > 
> > I have set up PAM using this file: /usr/share/pam-configs/winbind:
> > 
> 
> That is the debian default, which works for me ;-)
> 
> 
> > The time is correct on both DCs (I am using chrony to set time using
> > ntp).     I have two DCs: one based on Debian Stretch and one based
> > on Rasbian Stretch. Both are using Samba 4.8.3 compiled from
> > source.    Both have similar configurations.    The Debian 
> DC doesn't
> > give this warning, but the Rasbian one does;  the user is logged on
> > anyway.   If I remove the krb5 entries from the Auth lines in the
> > above file the warning disappears.      Using kinit works OK.
> > 
> > Can I ignore this warning or does it point to something 
> wrong with the
> > installation?
> 
> You have a problem, you should not ignore it. I would peer 
> very closely
> at the rpi, mainly because it doesn't have an RTC.
> 
> It may help if you posted the main conf files from both DC's
> 
> Rowland
>  
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>