samba - Jul 2018 - Failed to establish your Kerberos Ticket cache due time differences with the domain controller

Thanks for that.
> > > Remove the following lines, they shouldn't be in a DC
> > >  From here:
> > >> 	wins support = no
> > >> 	local master = yes
> > >> 	domain master = yes
> > >> 	preferred master = yes
> > > To here.
> > >
> > > If you have chrony (or ntp) running, then you don't need
another
> > > time server (I take it 'systemd-timesyncd' is a time
server,
> > > wouldn't know, I do not use systemd)
> > >
> >
> > The service 'systemd-timesyncd' is a time client and not a
time
> > server.
> >
> > https://www.freedesktop.org/software/systemd/man/systemd-
> timesyncd.service.html
> >
> 
> This quote from the above link "The systemd-timesyncd service
> specifically implements only SNTP", means it isn't any good for a
DC.
> 
> Rowland
Ok, have edited the  smb.conf and removed the fake-hwclock and disabled the
systemd-timesyncd service (as I assume chrony will set the DC's clock as
well as providing the time server for domain computers?) but the problem
remains.     When I log in (via ssh) I get the above message (as in the subject)
and the following is logged in the log.wb-MICROLYNX file:

[2018/07/21 16:37:52.194656,  1]
../source3/libads/authdata.c:175(kerberos_return_pac)
  kinit failed for 'roy at MICROLYNX.ORG' with: Clock skew too great
(-1765328347)

Yet the system time is correct.   Where is it getting time from?

Roy

On Sat, 21 Jul 2018 16:40:58 +0100
Roy Eastwood via samba <samba at lists.samba.org> wrote:
> Thanks for that.
> 
> > > > Remove the following lines, they shouldn't be in a DC
> > > >  From here:
> > > >> 	wins support = no
> > > >> 	local master = yes
> > > >> 	domain master = yes
> > > >> 	preferred master = yes
> > > > To here.
> > > >
> > > > If you have chrony (or ntp) running, then you don't need
another
> > > > time server (I take it 'systemd-timesyncd' is a time
server,
> > > > wouldn't know, I do not use systemd)
> > > >
> > >
> > > The service 'systemd-timesyncd' is a time client and not
a time
> > > server.
> > >
> > > https://www.freedesktop.org/software/systemd/man/systemd-
> > timesyncd.service.html
> > >
> > 
> > This quote from the above link "The systemd-timesyncd service
> > specifically implements only SNTP", means it isn't any good
for a
> > DC.
> > 
> > Rowland
> 
> Ok, have edited the  smb.conf and removed the fake-hwclock and
> disabled the systemd-timesyncd service (as I assume chrony will set
> the DC's clock as well as providing the time server for domain
> computers?) but the problem remains.     When I log in (via ssh) I
> get the above message (as in the subject) and the following is logged
> in the log.wb-MICROLYNX file:
> 
> [2018/07/21 16:37:52.194656,
> 1] ../source3/libads/authdata.c:175(kerberos_return_pac) kinit failed
> for 'roy at MICROLYNX.ORG' with: Clock skew too great (-1765328347)
> 
> Yet the system time is correct.   Where is it getting time from?
> 
> Roy
> 
> 
Strange, you say the time is okay, but the error says it isn't.

Try this, open a terminal on both DC's, run 'date' and
'samba-tool
time' on both. The results should be virtually the same.

e.g.
root at dc4:~# samba-tool time
Sat Jul 21 16:47:43 2018 BST
root at dc4:~# date
Sat 21 Jul 16:47:46 BST 2018

Rowland

> 
> Strange, you say the time is okay, but the error says it isn't.
> 
> Try this, open a terminal on both DC's, run 'date' and
'samba-tool
> time' on both. The results should be virtually the same.
> 
> e.g.
> root at dc4:~# samba-tool time
> Sat Jul 21 16:47:43 2018 BST
> root at dc4:~# date
> Sat 21 Jul 16:47:46 BST 2018
> 
> Rowland
> 
Interesting...

On the pi-dc (the one with the error) I get the following:
As root:
root at pi-dc:~# samba-tool time
Sat Jul 21 16:55:20 2018 BST
root at pi-dc:~# date
Sat 21 Jul 16:55:22 BST 2018
root at pi-dc:~#

OK, that's good.

As roy: (AD user)
MICROLYNX\roy at pi-dc:~ $ samba-tool time
ldb: Unable to open tdb '/usr/local/samba/private/secrets.ldb':
Permission denied
ldb: Failed to connect to '/usr/local/samba/private/secrets.ldb' with
backend 'tdb': Unable to open tdb
'/usr/local/samba/private/secrets.ldb': Permission denied
Could not find machine account in secrets database: Failed to fetch machine
account password from secrets.ldb: Could not open secrets.ldb and failed to open
/usr/local/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Sat Jul 21 16:56:00 2018 BST
MICROLYNX\roy at pi-dc:~ $ date
Sat 21 Jul 16:56:10 BST 2018

Maybe expected as roy doesn't have access to the 'private' folder?

On debian-vb, I get the following:
As roy:
MICROLYNX\roy at debian-vb:~$ samba-tool time
ldb: Unable to open tdb '/usr/local/samba/private/secrets.ldb':
Permission denied
ldb: Failed to connect to '/usr/local/samba/private/secrets.ldb' with
backend 'tdb': Unable to open tdb
'/usr/local/samba/private/secrets.ldb': Permission denied
Could not find machine account in secrets database: Failed to fetch machine
account password from secrets.ldb: Could not open secrets.ldb and failed to open
/usr/local/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
ERROR(runtime): uncaught exception - (-1073741823, "Connection to SRVSVC
pipe of server 'debian-vb.microlynx.org' failed:
NT_STATUS_UNSUCCESSFUL")
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/nettime.py",
line 59, in run
    self.outf.write(net.time(server_name)+"\n")
MICROLYNX\roy at debian-vb:~$ date
Sat 21 Jul 16:56:58 BST 2018

As root:
root at debian-vb:~# samba-tool time
ERROR(runtime): uncaught exception - (-1073741823, "Connection to SRVSVC
pipe of server 'debian-vb.microlynx.org' failed:
NT_STATUS_UNSUCCESSFUL")
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/nettime.py",
line 59, in run
    self.outf.write(net.time(server_name)+"\n")
root at debian-vb:~# date
Sat 21 Jul 17:01:21 BST 2018

So it would seem there's something amiss with the original dc (debian-vb)!

Roy