samba - Jul 2018 - Failed to establish your Kerberos Ticket cache due time differences with the domain controller

Thanks Louis.   Results below.
 
> Hai,
> 
> I've reading this thread more closely.
> 
> I suggest you try the followoing.
> 
> Check the servers hardware clock in the bios first.
> Set these within 5 min, if they are not about the same.
> 
There no RTC in the pi;  the other DC is running in a VM with RTC set to UTC.  
I have disabled the guest from getting the time from the host OS.
> Run :  dpkg-reconfigure tzdata
> Check/set the correct timezones on both servers, and both servers should
show
> you the same date/time and (optional) zone.
> 
Done, both show the TZ to be correct ie Europe/London and local and UTC times
are correct and identical on both DCs.
> Run : ntpq -p
> Check the offset on both servers.
Don't have ntpq (part of ntp package?) but ran chronyc sources with the
following results:

root at pi-dc:~# chronyc sources
210 Number of sources = 3
MS Name/IP address         Stratum Poll Reach LastRx Last sample
==============================================================================^+
www.bhay.org                  2   6   377    42  -2411us[-2629us] +/-   14ms
^* 85.199.214.100                1   6   377    41   +673us[ +455us] +/- 6491us
^+ 213.246.159.21                1   6   377    42   +340us[ +123us] +/-   16ms

root at debian-vb:~# chronyc sources
210 Number of sources = 3
MS Name/IP address         Stratum Poll Reach LastRx Last sample
==============================================================================^*
85.199.214.102                1   6   377    42   -357us[ -354us] +/- 7721us
^+ server1.quickdrivingtest>     1   6   377    41   -617us[ -617us] +/-
6199us
^+ time.netweaver.uk             2   6   377    41   +323us[ +323us] +/-   12ms

Both DCs are configured to use the same servers (0.uk.pool.ntp.org,
1.uk.pool.ntp.org and 2.uk.pool.ntp.org)
> 
> Add :  winbind refresh tickets = yes to you smb.conf
Done.
> 
> If these are member servers, make sure you have only the server lines
pointed
> to you AD DC's.
> If these are DC's, them make sure the both point to the same ntp
servers.
yes, see above
> Dont use pool servers for the AD DC's, but thats my advice.
OK, will try Stratum1 and see what happens, but for now here are the results so
far.
> 
> Reboot the servers, first DC with FSMO, if there are DC's involved.
> This wil clear kerberos cache tickets and should make sure the time is
really set
> ok.
> 
> Login again, do have still have the time message, if yes..
No change, message still there.   Even with the other DC switched off (the one
with FSMO roles).
> 
> Check :
> /etc/pam.d/common-auth
> You should see a line like :
> auth    [success=1 default=ignore]      pam_winbind.so krb5_auth
> krb5_ccache_type=FILE cached_login try_first_pass
> 
> Change that one to
> auth    [success=1 default=ignore]      pam_winbind.so krb5_auth
try_first_pass
> Try again, put it back again after a successull login without messages.
> 
Done, that but still get the warning even with the shorter version.    Never
able to logon without the warning, so put it back anyway.
The only way I have found not to get the message is to remove the krb5_auth (and
the other ones) completely.   But then we are not using Kerberos.
> When this is done.
> Now go clear the kerberos cache.
> Run : klist -ef
> Check the ETYPES and Flags.
> 
As roy (after logging in and getting the message:
Failed to establish your Kerberos Ticket cache due time differences
with the domain controller.  Please verify the system time.
MICROLYNX\roy at pi-dc:~ $ klist -ef
klist: No credentials cache found (filename: /tmp/krb5cc_3000022)

So generate a ticket:
MICROLYNX\roy at pi-dc:~ $ kinit roy
Password for roy at MICROLYNX.ORG:
MICROLYNX\roy at pi-dc:~ $ klist -ef
Ticket cache: FILE:/tmp/krb5cc_3000022
Default principal: roy at MICROLYNX.ORG

Valid starting     Expires            Service principal
23/07/18 21:25:51  24/07/18 07:25:51  krbtgt/MICROLYNX.ORG at MICROLYNX.ORG
        renew until 24/07/18 21:25:48, Flags: RIA
        Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
> 
> Now mail us back with the results.
> Above should determine if its and old kerberos cache problem or ntp
problem.
> 
> 
> Greetz,
> 
> Louis
> 
Cheers,

Roy

On Mon, 23 Jul 2018 21:28:15 +0100
Roy Eastwood via samba <samba at lists.samba.org> wrote:
> Thanks Louis.   Results below.
>  
> > Hai,
> > 
> > I've reading this thread more closely.
> > 
> > I suggest you try the followoing.
> > 
> > Check the servers hardware clock in the bios first.
> > Set these within 5 min, if they are not about the same.
> > 
> There no RTC in the pi;  the other DC is running in a VM with RTC set
> to UTC.   I have disabled the guest from getting the time from the
> host OS.
> 
> > Run :  dpkg-reconfigure tzdata
> > Check/set the correct timezones on both servers, and both servers
> > should show you the same date/time and (optional) zone.
> > 
> Done, both show the TZ to be correct ie Europe/London and local and
> UTC times are correct and identical on both DCs.
> 
> > Run : ntpq -p
> > Check the offset on both servers.
> Don't have ntpq (part of ntp package?) but ran chronyc sources with
> the following results:
> 
> root at pi-dc:~# chronyc sources
> 210 Number of sources = 3
> MS Name/IP address         Stratum Poll Reach LastRx Last sample
>
==============================================================================>
^+ www.bhay.org                  2   6   377    42  -2411us[-2629us]
> +/-   14ms ^* 85.199.214.100                1   6   377    41
> +673us[ +455us] +/- 6491us ^+ 213.246.159.21                1   6
> 377    42   +340us[ +123us] +/-   16ms
> 
> root at debian-vb:~# chronyc sources
> 210 Number of sources = 3
> MS Name/IP address         Stratum Poll Reach LastRx Last sample
>
==============================================================================>
^* 85.199.214.102                1   6   377    42   -357us[ -354us]
> +/- 7721us ^+ server1.quickdrivingtest>     1   6   377    41
> -617us[ -617us] +/- 6199us ^+ time.netweaver.uk             2   6
> 377    41   +323us[ +323us] +/-   12ms
> 
> Both DCs are configured to use the same servers (0.uk.pool.ntp.org,
> 1.uk.pool.ntp.org and 2.uk.pool.ntp.org)
> 
> > 
> > Add :  winbind refresh tickets = yes to you smb.conf
> 
> Done.
> 
> > 
> > If these are member servers, make sure you have only the server
> > lines pointed to you AD DC's.
> > If these are DC's, them make sure the both point to the same ntp
> > servers.
> 
> yes, see above
> 
> > Dont use pool servers for the AD DC's, but thats my advice.
> 
> OK, will try Stratum1 and see what happens, but for now here are the
> results so far.
> 
> > 
> > Reboot the servers, first DC with FSMO, if there are DC's
involved.
> > This wil clear kerberos cache tickets and should make sure the time
> > is really set ok.
> > 
> > Login again, do have still have the time message, if yes..
> 
> No change, message still there.   Even with the other DC switched off
> (the one with FSMO roles).
> 
> > 
> > Check :
> > /etc/pam.d/common-auth
> > You should see a line like :
> > auth    [success=1 default=ignore]      pam_winbind.so krb5_auth
> > krb5_ccache_type=FILE cached_login try_first_pass
> > 
> > Change that one to
> > auth    [success=1 default=ignore]      pam_winbind.so krb5_auth
> > try_first_pass Try again, put it back again after a successull
> > login without messages.
> > 
> Done, that but still get the warning even with the shorter
> version.    Never able to logon without the warning, so put it back
> anyway. The only way I have found not to get the message is to remove
> the krb5_auth (and the other ones) completely.   But then we are not
> using Kerberos.
> 
> > When this is done.
> > Now go clear the kerberos cache.
> > Run : klist -ef
> > Check the ETYPES and Flags.
> > 
> As roy (after logging in and getting the message:
> Failed to establish your Kerberos Ticket cache due time differences
> with the domain controller.  Please verify the system time.
OK, I know where the message is coming from ;-)

samba-master/nsswitch/pam_winbind.c

line 1441

static void _pam_warn_krb5_failure(struct pwb_context *ctx,
				   const char *username,
				   uint32_t info3_user_flgs)
{
	if (PAM_WB_KRB5_CLOCK_SKEW(info3_user_flgs)) {
		_make_remark(ctx, PAM_ERROR_MSG,
			     _("Failed to establish your Kerberos Ticket cache "
			       "due time differences\n"
			       "with the domain controller.  "
			       "Please verify the system time.\n"));
		_pam_log_debug(ctx, LOG_DEBUG,
			       "User %s: Clock skew when getting Krb5 TGT\n",
			       username);
	}
}

So it looks like you must have some difference in time between the two
DC's
Try installing ntpdate on each DC and then run on each DC:

ntpdate -d -u 'FQDN of other DC'

You should get a very low 'offset', it is in seconds

Rowland

> > As roy (after logging in and getting the message:
> > Failed to establish your Kerberos Ticket cache due time differences
> > with the domain controller.  Please verify the system time.
> 
> OK, I know where the message is coming from ;-)
> 
> samba-master/nsswitch/pam_winbind.c
> 
> line 1441
> 
> static void _pam_warn_krb5_failure(struct pwb_context *ctx,
> 				   const char *username,
> 				   uint32_t info3_user_flgs)
> {
> 	if (PAM_WB_KRB5_CLOCK_SKEW(info3_user_flgs)) {
> 		_make_remark(ctx, PAM_ERROR_MSG,
> 			     _("Failed to establish your Kerberos Ticket cache "
> 			       "due time differences\n"
> 			       "with the domain controller.  "
> 			       "Please verify the system time.\n"));
> 		_pam_log_debug(ctx, LOG_DEBUG,
> 			       "User %s: Clock skew when getting Krb5 TGT\n",
> 			       username);
> 	}
> }
> 
> So it looks like you must have some difference in time between the two
> DC's
> Try installing ntpdate on each DC and then run on each DC:
> 
> ntpdate -d -u 'FQDN of other DC'
> 
> You should get a very low 'offset', it is in seconds
> 
> Rowland
Ok, done that and the result on pi-dc:
root at pi-dc:~# ntpdate -d -u debian-vb.microlynx.org
23 Jul 23:48:59 ntpdate[1876]: ntpdate 4.2.8p10 at 1.3728-o Sat Mar 10 18:03:47
UTC
2018 (1)
transmit(192.168.2.6)
receive(192.168.2.6)
transmit(192.168.2.6)
receive(192.168.2.6)
transmit(192.168.2.6)
receive(192.168.2.6)
transmit(192.168.2.6)
receive(192.168.2.6)
server 192.168.2.6, port 123
stratum 2, precision -25, leap 00, trust 000
refid [192.168.2.6], delay 0.02611, dispersion 0.00000
transmitted 4, in filter 4
reference time:    df00d7bd.5789fa50  Mon, Jul 23 2018 23:39:57.341
originate timestamp: df00d9e1.2f172491  Mon, Jul 23 2018 23:49:05.183
transmit timestamp:  df00d9e1.2f162fa4  Mon, Jul 23 2018 23:49:05.183
filter delay:  0.02623  0.02611  0.02614  0.02621
         0.00000  0.00000  0.00000  0.00000
filter offset: -0.00029 -0.00034 -0.00034 -0.00033
         0.000000 0.000000 0.000000 0.000000
delay 0.02611, dispersion 0.00000
offset -0.000345

23 Jul 23:49:05 ntpdate[1876]: adjust time server 192.168.2.6 offset -0.000345
sec

Result the other way:
root at debian-vb:~# ntpdate -d -u pi-dc.microlynx.org
23 Jul 23:51:11 ntpdate[18082]: ntpdate 4.2.8p10 at 1.3728-o Sun Feb 25 21:22:56
UTC 2018 (1)
transmit(192.168.2.4)
receive(192.168.2.4)
transmit(192.168.2.4)
receive(192.168.2.4)
transmit(192.168.2.4)
receive(192.168.2.4)
transmit(192.168.2.4)
receive(192.168.2.4)
server 192.168.2.4, port 123
stratum 2, precision -22, leap 00, trust 000
refid [192.168.2.4], delay 0.02605, dispersion 0.00002
transmitted 4, in filter 4
reference time:    df00d7ae.eb5aa9d1  Mon, Jul 23 2018 23:39:42.919
originate timestamp: df00da65.41ba9acc  Mon, Jul 23 2018 23:51:17.256
transmit timestamp:  df00da65.417e786b  Mon, Jul 23 2018 23:51:17.255
filter delay:  0.02612  0.02605  0.02606  0.02606
         0.00000  0.00000  0.00000  0.00000
filter offset: 0.000586 0.000634 0.000598 0.000606
         0.000000 0.000000 0.000000 0.000000
delay 0.02605, dispersion 0.00002
offset 0.000634

23 Jul 23:51:17 ntpdate[18082]: adjust time server 192.168.2.4 offset 0.000634
sec

I would say the clocks are pretty much the same :-)

Thanks for all your help.

Roy

I did re-read the whole thread again. 

Im running out of options.. 

When i look at : 
https://wiki.samba.org/index.php/PAM_Offline_Authentication 
You can do these last checks. 

Run the :  Testing offline authentication as show on the wiki. 

Debian normaly does not have /etc/security/pam_winbind.conf, check if its there
if so backup it remove it.

Check if these packages are installed. 
libpam-krb5
libpam-winbind
libnss-winbind 

Now edit : 
/usr/share/pam-configs/winbind 

And change it to : (see debug debug_state)
Auth:
        [success=end default=ignore]    pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login try_first_pass debug debug_state
Auth-Initial:
        [success=end default=ignore]    pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login debug debug_state


Run : pam-auth-update 
And login again. 

Lets see what you get of that debug output. 



Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Roy 
> Eastwood via samba
> Verzonden: dinsdag 24 juli 2018 0:54
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Failed to establish your Kerberos 
> Ticket cache due time differences with the domain controller
> 
> > > As roy (after logging in and getting the message:
> > > Failed to establish your Kerberos Ticket cache due time 
> differences
> > > with the domain controller.  Please verify the system time.
> > 
> > OK, I know where the message is coming from ;-)
> > 
> > samba-master/nsswitch/pam_winbind.c
> > 
> > line 1441
> > 
> > static void _pam_warn_krb5_failure(struct pwb_context *ctx,
> > 				   const char *username,
> > 				   uint32_t info3_user_flgs)
> > {
> > 	if (PAM_WB_KRB5_CLOCK_SKEW(info3_user_flgs)) {
> > 		_make_remark(ctx, PAM_ERROR_MSG,
> > 			     _("Failed to establish your 
> Kerberos Ticket cache "
> > 			       "due time differences\n"
> > 			       "with the domain controller.  "
> > 			       "Please verify the system time.\n"));
> > 		_pam_log_debug(ctx, LOG_DEBUG,
> > 			       "User %s: Clock skew when 
> getting Krb5 TGT\n",
> > 			       username);
> > 	}
> > }
> > 
> > So it looks like you must have some difference in time 
> between the two
> > DC's
> > Try installing ntpdate on each DC and then run on each DC:
> > 
> > ntpdate -d -u 'FQDN of other DC'
> > 
> > You should get a very low 'offset', it is in seconds
> > 
> > Rowland
> 
> Ok, done that and the result on pi-dc:
> root at pi-dc:~# ntpdate -d -u debian-vb.microlynx.org
> 23 Jul 23:48:59 ntpdate[1876]: ntpdate 4.2.8p10 at 1.3728-o Sat 
> Mar 10 18:03:47 UTC
> 2018 (1)
> transmit(192.168.2.6)
> receive(192.168.2.6)
> transmit(192.168.2.6)
> receive(192.168.2.6)
> transmit(192.168.2.6)
> receive(192.168.2.6)
> transmit(192.168.2.6)
> receive(192.168.2.6)
> server 192.168.2.6, port 123
> stratum 2, precision -25, leap 00, trust 000
> refid [192.168.2.6], delay 0.02611, dispersion 0.00000
> transmitted 4, in filter 4
> reference time:    df00d7bd.5789fa50  Mon, Jul 23 2018 23:39:57.341
> originate timestamp: df00d9e1.2f172491  Mon, Jul 23 2018 23:49:05.183
> transmit timestamp:  df00d9e1.2f162fa4  Mon, Jul 23 2018 23:49:05.183
> filter delay:  0.02623  0.02611  0.02614  0.02621
>          0.00000  0.00000  0.00000  0.00000
> filter offset: -0.00029 -0.00034 -0.00034 -0.00033
>          0.000000 0.000000 0.000000 0.000000
> delay 0.02611, dispersion 0.00000
> offset -0.000345
> 
> 23 Jul 23:49:05 ntpdate[1876]: adjust time server 192.168.2.6 
> offset -0.000345
> sec
> 
> Result the other way:
> root at debian-vb:~# ntpdate -d -u pi-dc.microlynx.org
> 23 Jul 23:51:11 ntpdate[18082]: ntpdate 4.2.8p10 at 1.3728-o Sun 
> Feb 25 21:22:56
> UTC 2018 (1)
> transmit(192.168.2.4)
> receive(192.168.2.4)
> transmit(192.168.2.4)
> receive(192.168.2.4)
> transmit(192.168.2.4)
> receive(192.168.2.4)
> transmit(192.168.2.4)
> receive(192.168.2.4)
> server 192.168.2.4, port 123
> stratum 2, precision -22, leap 00, trust 000
> refid [192.168.2.4], delay 0.02605, dispersion 0.00002
> transmitted 4, in filter 4
> reference time:    df00d7ae.eb5aa9d1  Mon, Jul 23 2018 23:39:42.919
> originate timestamp: df00da65.41ba9acc  Mon, Jul 23 2018 23:51:17.256
> transmit timestamp:  df00da65.417e786b  Mon, Jul 23 2018 23:51:17.255
> filter delay:  0.02612  0.02605  0.02606  0.02606
>          0.00000  0.00000  0.00000  0.00000
> filter offset: 0.000586 0.000634 0.000598 0.000606
>          0.000000 0.000000 0.000000 0.000000
> delay 0.02605, dispersion 0.00002
> offset 0.000634
> 
> 23 Jul 23:51:17 ntpdate[18082]: adjust time server 
> 192.168.2.4 offset 0.000634
> sec
> 
> I would say the clocks are pretty much the same :-)
> 
> Thanks for all your help.
> 
> Roy
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>