Roy Eastwood
2018-Jul-23 20:28 UTC
[Samba] Failed to establish your Kerberos Ticket cache due time differences with the domain controller
Thanks Louis. Results below.> Hai, > > I've reading this thread more closely. > > I suggest you try the followoing. > > Check the servers hardware clock in the bios first. > Set these within 5 min, if they are not about the same. >There no RTC in the pi; the other DC is running in a VM with RTC set to UTC. I have disabled the guest from getting the time from the host OS.> Run : dpkg-reconfigure tzdata > Check/set the correct timezones on both servers, and both servers should show > you the same date/time and (optional) zone. >Done, both show the TZ to be correct ie Europe/London and local and UTC times are correct and identical on both DCs.> Run : ntpq -p > Check the offset on both servers.Don't have ntpq (part of ntp package?) but ran chronyc sources with the following results: root at pi-dc:~# chronyc sources 210 Number of sources = 3 MS Name/IP address Stratum Poll Reach LastRx Last sample ==============================================================================^+ www.bhay.org 2 6 377 42 -2411us[-2629us] +/- 14ms ^* 85.199.214.100 1 6 377 41 +673us[ +455us] +/- 6491us ^+ 213.246.159.21 1 6 377 42 +340us[ +123us] +/- 16ms root at debian-vb:~# chronyc sources 210 Number of sources = 3 MS Name/IP address Stratum Poll Reach LastRx Last sample ==============================================================================^* 85.199.214.102 1 6 377 42 -357us[ -354us] +/- 7721us ^+ server1.quickdrivingtest> 1 6 377 41 -617us[ -617us] +/- 6199us ^+ time.netweaver.uk 2 6 377 41 +323us[ +323us] +/- 12ms Both DCs are configured to use the same servers (0.uk.pool.ntp.org, 1.uk.pool.ntp.org and 2.uk.pool.ntp.org)> > Add : winbind refresh tickets = yes to you smb.confDone.> > If these are member servers, make sure you have only the server lines pointed > to you AD DC's. > If these are DC's, them make sure the both point to the same ntp servers.yes, see above> Dont use pool servers for the AD DC's, but thats my advice.OK, will try Stratum1 and see what happens, but for now here are the results so far.> > Reboot the servers, first DC with FSMO, if there are DC's involved. > This wil clear kerberos cache tickets and should make sure the time is really set > ok. > > Login again, do have still have the time message, if yes..No change, message still there. Even with the other DC switched off (the one with FSMO roles).> > Check : > /etc/pam.d/common-auth > You should see a line like : > auth [success=1 default=ignore] pam_winbind.so krb5_auth > krb5_ccache_type=FILE cached_login try_first_pass > > Change that one to > auth [success=1 default=ignore] pam_winbind.so krb5_auth try_first_pass > Try again, put it back again after a successull login without messages. >Done, that but still get the warning even with the shorter version. Never able to logon without the warning, so put it back anyway. The only way I have found not to get the message is to remove the krb5_auth (and the other ones) completely. But then we are not using Kerberos.> When this is done. > Now go clear the kerberos cache. > Run : klist -ef > Check the ETYPES and Flags. >As roy (after logging in and getting the message: Failed to establish your Kerberos Ticket cache due time differences with the domain controller. Please verify the system time. MICROLYNX\roy at pi-dc:~ $ klist -ef klist: No credentials cache found (filename: /tmp/krb5cc_3000022) So generate a ticket: MICROLYNX\roy at pi-dc:~ $ kinit roy Password for roy at MICROLYNX.ORG: MICROLYNX\roy at pi-dc:~ $ klist -ef Ticket cache: FILE:/tmp/krb5cc_3000022 Default principal: roy at MICROLYNX.ORG Valid starting Expires Service principal 23/07/18 21:25:51 24/07/18 07:25:51 krbtgt/MICROLYNX.ORG at MICROLYNX.ORG renew until 24/07/18 21:25:48, Flags: RIA Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96> > Now mail us back with the results. > Above should determine if its and old kerberos cache problem or ntp problem. > > > Greetz, > > Louis >Cheers, Roy
Rowland Penny
2018-Jul-23 21:10 UTC
[Samba] Failed to establish your Kerberos Ticket cache due time differences with the domain controller
On Mon, 23 Jul 2018 21:28:15 +0100 Roy Eastwood via samba <samba at lists.samba.org> wrote:> Thanks Louis. Results below. > > > Hai, > > > > I've reading this thread more closely. > > > > I suggest you try the followoing. > > > > Check the servers hardware clock in the bios first. > > Set these within 5 min, if they are not about the same. > > > There no RTC in the pi; the other DC is running in a VM with RTC set > to UTC. I have disabled the guest from getting the time from the > host OS. > > > Run : dpkg-reconfigure tzdata > > Check/set the correct timezones on both servers, and both servers > > should show you the same date/time and (optional) zone. > > > Done, both show the TZ to be correct ie Europe/London and local and > UTC times are correct and identical on both DCs. > > > Run : ntpq -p > > Check the offset on both servers. > Don't have ntpq (part of ntp package?) but ran chronyc sources with > the following results: > > root at pi-dc:~# chronyc sources > 210 Number of sources = 3 > MS Name/IP address Stratum Poll Reach LastRx Last sample > ==============================================================================> ^+ www.bhay.org 2 6 377 42 -2411us[-2629us] > +/- 14ms ^* 85.199.214.100 1 6 377 41 > +673us[ +455us] +/- 6491us ^+ 213.246.159.21 1 6 > 377 42 +340us[ +123us] +/- 16ms > > root at debian-vb:~# chronyc sources > 210 Number of sources = 3 > MS Name/IP address Stratum Poll Reach LastRx Last sample > ==============================================================================> ^* 85.199.214.102 1 6 377 42 -357us[ -354us] > +/- 7721us ^+ server1.quickdrivingtest> 1 6 377 41 > -617us[ -617us] +/- 6199us ^+ time.netweaver.uk 2 6 > 377 41 +323us[ +323us] +/- 12ms > > Both DCs are configured to use the same servers (0.uk.pool.ntp.org, > 1.uk.pool.ntp.org and 2.uk.pool.ntp.org) > > > > > Add : winbind refresh tickets = yes to you smb.conf > > Done. > > > > > If these are member servers, make sure you have only the server > > lines pointed to you AD DC's. > > If these are DC's, them make sure the both point to the same ntp > > servers. > > yes, see above > > > Dont use pool servers for the AD DC's, but thats my advice. > > OK, will try Stratum1 and see what happens, but for now here are the > results so far. > > > > > Reboot the servers, first DC with FSMO, if there are DC's involved. > > This wil clear kerberos cache tickets and should make sure the time > > is really set ok. > > > > Login again, do have still have the time message, if yes.. > > No change, message still there. Even with the other DC switched off > (the one with FSMO roles). > > > > > Check : > > /etc/pam.d/common-auth > > You should see a line like : > > auth [success=1 default=ignore] pam_winbind.so krb5_auth > > krb5_ccache_type=FILE cached_login try_first_pass > > > > Change that one to > > auth [success=1 default=ignore] pam_winbind.so krb5_auth > > try_first_pass Try again, put it back again after a successull > > login without messages. > > > Done, that but still get the warning even with the shorter > version. Never able to logon without the warning, so put it back > anyway. The only way I have found not to get the message is to remove > the krb5_auth (and the other ones) completely. But then we are not > using Kerberos. > > > When this is done. > > Now go clear the kerberos cache. > > Run : klist -ef > > Check the ETYPES and Flags. > > > As roy (after logging in and getting the message: > Failed to establish your Kerberos Ticket cache due time differences > with the domain controller. Please verify the system time.OK, I know where the message is coming from ;-) samba-master/nsswitch/pam_winbind.c line 1441 static void _pam_warn_krb5_failure(struct pwb_context *ctx, const char *username, uint32_t info3_user_flgs) { if (PAM_WB_KRB5_CLOCK_SKEW(info3_user_flgs)) { _make_remark(ctx, PAM_ERROR_MSG, _("Failed to establish your Kerberos Ticket cache " "due time differences\n" "with the domain controller. " "Please verify the system time.\n")); _pam_log_debug(ctx, LOG_DEBUG, "User %s: Clock skew when getting Krb5 TGT\n", username); } } So it looks like you must have some difference in time between the two DC's Try installing ntpdate on each DC and then run on each DC: ntpdate -d -u 'FQDN of other DC' You should get a very low 'offset', it is in seconds Rowland
Roy Eastwood
2018-Jul-23 22:53 UTC
[Samba] Failed to establish your Kerberos Ticket cache due time differences with the domain controller
> > As roy (after logging in and getting the message: > > Failed to establish your Kerberos Ticket cache due time differences > > with the domain controller. Please verify the system time. > > OK, I know where the message is coming from ;-) > > samba-master/nsswitch/pam_winbind.c > > line 1441 > > static void _pam_warn_krb5_failure(struct pwb_context *ctx, > const char *username, > uint32_t info3_user_flgs) > { > if (PAM_WB_KRB5_CLOCK_SKEW(info3_user_flgs)) { > _make_remark(ctx, PAM_ERROR_MSG, > _("Failed to establish your Kerberos Ticket cache " > "due time differences\n" > "with the domain controller. " > "Please verify the system time.\n")); > _pam_log_debug(ctx, LOG_DEBUG, > "User %s: Clock skew when getting Krb5 TGT\n", > username); > } > } > > So it looks like you must have some difference in time between the two > DC's > Try installing ntpdate on each DC and then run on each DC: > > ntpdate -d -u 'FQDN of other DC' > > You should get a very low 'offset', it is in seconds > > RowlandOk, done that and the result on pi-dc: root at pi-dc:~# ntpdate -d -u debian-vb.microlynx.org 23 Jul 23:48:59 ntpdate[1876]: ntpdate 4.2.8p10 at 1.3728-o Sat Mar 10 18:03:47 UTC 2018 (1) transmit(192.168.2.6) receive(192.168.2.6) transmit(192.168.2.6) receive(192.168.2.6) transmit(192.168.2.6) receive(192.168.2.6) transmit(192.168.2.6) receive(192.168.2.6) server 192.168.2.6, port 123 stratum 2, precision -25, leap 00, trust 000 refid [192.168.2.6], delay 0.02611, dispersion 0.00000 transmitted 4, in filter 4 reference time: df00d7bd.5789fa50 Mon, Jul 23 2018 23:39:57.341 originate timestamp: df00d9e1.2f172491 Mon, Jul 23 2018 23:49:05.183 transmit timestamp: df00d9e1.2f162fa4 Mon, Jul 23 2018 23:49:05.183 filter delay: 0.02623 0.02611 0.02614 0.02621 0.00000 0.00000 0.00000 0.00000 filter offset: -0.00029 -0.00034 -0.00034 -0.00033 0.000000 0.000000 0.000000 0.000000 delay 0.02611, dispersion 0.00000 offset -0.000345 23 Jul 23:49:05 ntpdate[1876]: adjust time server 192.168.2.6 offset -0.000345 sec Result the other way: root at debian-vb:~# ntpdate -d -u pi-dc.microlynx.org 23 Jul 23:51:11 ntpdate[18082]: ntpdate 4.2.8p10 at 1.3728-o Sun Feb 25 21:22:56 UTC 2018 (1) transmit(192.168.2.4) receive(192.168.2.4) transmit(192.168.2.4) receive(192.168.2.4) transmit(192.168.2.4) receive(192.168.2.4) transmit(192.168.2.4) receive(192.168.2.4) server 192.168.2.4, port 123 stratum 2, precision -22, leap 00, trust 000 refid [192.168.2.4], delay 0.02605, dispersion 0.00002 transmitted 4, in filter 4 reference time: df00d7ae.eb5aa9d1 Mon, Jul 23 2018 23:39:42.919 originate timestamp: df00da65.41ba9acc Mon, Jul 23 2018 23:51:17.256 transmit timestamp: df00da65.417e786b Mon, Jul 23 2018 23:51:17.255 filter delay: 0.02612 0.02605 0.02606 0.02606 0.00000 0.00000 0.00000 0.00000 filter offset: 0.000586 0.000634 0.000598 0.000606 0.000000 0.000000 0.000000 0.000000 delay 0.02605, dispersion 0.00002 offset 0.000634 23 Jul 23:51:17 ntpdate[18082]: adjust time server 192.168.2.4 offset 0.000634 sec I would say the clocks are pretty much the same :-) Thanks for all your help. Roy
L.P.H. van Belle
2018-Jul-24 08:40 UTC
[Samba] Failed to establish your Kerberos Ticket cache due time differences with the domain controller
I did re-read the whole thread again. Im running out of options.. When i look at : https://wiki.samba.org/index.php/PAM_Offline_Authentication You can do these last checks. Run the : Testing offline authentication as show on the wiki. Debian normaly does not have /etc/security/pam_winbind.conf, check if its there if so backup it remove it. Check if these packages are installed. libpam-krb5 libpam-winbind libnss-winbind Now edit : /usr/share/pam-configs/winbind And change it to : (see debug debug_state) Auth: [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass debug debug_state Auth-Initial: [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login debug debug_state Run : pam-auth-update And login again. Lets see what you get of that debug output. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Roy > Eastwood via samba > Verzonden: dinsdag 24 juli 2018 0:54 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Failed to establish your Kerberos > Ticket cache due time differences with the domain controller > > > > As roy (after logging in and getting the message: > > > Failed to establish your Kerberos Ticket cache due time > differences > > > with the domain controller. Please verify the system time. > > > > OK, I know where the message is coming from ;-) > > > > samba-master/nsswitch/pam_winbind.c > > > > line 1441 > > > > static void _pam_warn_krb5_failure(struct pwb_context *ctx, > > const char *username, > > uint32_t info3_user_flgs) > > { > > if (PAM_WB_KRB5_CLOCK_SKEW(info3_user_flgs)) { > > _make_remark(ctx, PAM_ERROR_MSG, > > _("Failed to establish your > Kerberos Ticket cache " > > "due time differences\n" > > "with the domain controller. " > > "Please verify the system time.\n")); > > _pam_log_debug(ctx, LOG_DEBUG, > > "User %s: Clock skew when > getting Krb5 TGT\n", > > username); > > } > > } > > > > So it looks like you must have some difference in time > between the two > > DC's > > Try installing ntpdate on each DC and then run on each DC: > > > > ntpdate -d -u 'FQDN of other DC' > > > > You should get a very low 'offset', it is in seconds > > > > Rowland > > Ok, done that and the result on pi-dc: > root at pi-dc:~# ntpdate -d -u debian-vb.microlynx.org > 23 Jul 23:48:59 ntpdate[1876]: ntpdate 4.2.8p10 at 1.3728-o Sat > Mar 10 18:03:47 UTC > 2018 (1) > transmit(192.168.2.6) > receive(192.168.2.6) > transmit(192.168.2.6) > receive(192.168.2.6) > transmit(192.168.2.6) > receive(192.168.2.6) > transmit(192.168.2.6) > receive(192.168.2.6) > server 192.168.2.6, port 123 > stratum 2, precision -25, leap 00, trust 000 > refid [192.168.2.6], delay 0.02611, dispersion 0.00000 > transmitted 4, in filter 4 > reference time: df00d7bd.5789fa50 Mon, Jul 23 2018 23:39:57.341 > originate timestamp: df00d9e1.2f172491 Mon, Jul 23 2018 23:49:05.183 > transmit timestamp: df00d9e1.2f162fa4 Mon, Jul 23 2018 23:49:05.183 > filter delay: 0.02623 0.02611 0.02614 0.02621 > 0.00000 0.00000 0.00000 0.00000 > filter offset: -0.00029 -0.00034 -0.00034 -0.00033 > 0.000000 0.000000 0.000000 0.000000 > delay 0.02611, dispersion 0.00000 > offset -0.000345 > > 23 Jul 23:49:05 ntpdate[1876]: adjust time server 192.168.2.6 > offset -0.000345 > sec > > Result the other way: > root at debian-vb:~# ntpdate -d -u pi-dc.microlynx.org > 23 Jul 23:51:11 ntpdate[18082]: ntpdate 4.2.8p10 at 1.3728-o Sun > Feb 25 21:22:56 > UTC 2018 (1) > transmit(192.168.2.4) > receive(192.168.2.4) > transmit(192.168.2.4) > receive(192.168.2.4) > transmit(192.168.2.4) > receive(192.168.2.4) > transmit(192.168.2.4) > receive(192.168.2.4) > server 192.168.2.4, port 123 > stratum 2, precision -22, leap 00, trust 000 > refid [192.168.2.4], delay 0.02605, dispersion 0.00002 > transmitted 4, in filter 4 > reference time: df00d7ae.eb5aa9d1 Mon, Jul 23 2018 23:39:42.919 > originate timestamp: df00da65.41ba9acc Mon, Jul 23 2018 23:51:17.256 > transmit timestamp: df00da65.417e786b Mon, Jul 23 2018 23:51:17.255 > filter delay: 0.02612 0.02605 0.02606 0.02606 > 0.00000 0.00000 0.00000 0.00000 > filter offset: 0.000586 0.000634 0.000598 0.000606 > 0.000000 0.000000 0.000000 0.000000 > delay 0.02605, dispersion 0.00002 > offset 0.000634 > > 23 Jul 23:51:17 ntpdate[18082]: adjust time server > 192.168.2.4 offset 0.000634 > sec > > I would say the clocks are pretty much the same :-) > > Thanks for all your help. > > Roy > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Reasonably Related Threads
- Failed to establish your Kerberos Ticket cache due time differences with the domain controller
- Failed to establish your Kerberos Ticket cache due time differences with the domain controller
- Failed to establish your Kerberos Ticket cache due time differences with the domain controller
- chrony configuration for secondary samba DC
- Failed to establish your Kerberos Ticket cache due time differences with the domain controller