L.P.H. van Belle
2018-Jul-24 08:40 UTC
[Samba] Failed to establish your Kerberos Ticket cache due time differences with the domain controller
I did re-read the whole thread again.
Im running out of options..
When i look at :
https://wiki.samba.org/index.php/PAM_Offline_Authentication
You can do these last checks.
Run the : Testing offline authentication as show on the wiki.
Debian normaly does not have /etc/security/pam_winbind.conf, check if its there
if so backup it remove it.
Check if these packages are installed.
libpam-krb5
libpam-winbind
libnss-winbind
Now edit :
/usr/share/pam-configs/winbind
And change it to : (see debug debug_state)
Auth:
[success=end default=ignore] pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login try_first_pass debug debug_state
Auth-Initial:
[success=end default=ignore] pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login debug debug_state
Run : pam-auth-update
And login again.
Lets see what you get of that debug output.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Roy
> Eastwood via samba
> Verzonden: dinsdag 24 juli 2018 0:54
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Failed to establish your Kerberos
> Ticket cache due time differences with the domain controller
>
> > > As roy (after logging in and getting the message:
> > > Failed to establish your Kerberos Ticket cache due time
> differences
> > > with the domain controller. Please verify the system time.
> >
> > OK, I know where the message is coming from ;-)
> >
> > samba-master/nsswitch/pam_winbind.c
> >
> > line 1441
> >
> > static void _pam_warn_krb5_failure(struct pwb_context *ctx,
> > const char *username,
> > uint32_t info3_user_flgs)
> > {
> > if (PAM_WB_KRB5_CLOCK_SKEW(info3_user_flgs)) {
> > _make_remark(ctx, PAM_ERROR_MSG,
> > _("Failed to establish your
> Kerberos Ticket cache "
> > "due time differences\n"
> > "with the domain controller. "
> > "Please verify the system time.\n"));
> > _pam_log_debug(ctx, LOG_DEBUG,
> > "User %s: Clock skew when
> getting Krb5 TGT\n",
> > username);
> > }
> > }
> >
> > So it looks like you must have some difference in time
> between the two
> > DC's
> > Try installing ntpdate on each DC and then run on each DC:
> >
> > ntpdate -d -u 'FQDN of other DC'
> >
> > You should get a very low 'offset', it is in seconds
> >
> > Rowland
>
> Ok, done that and the result on pi-dc:
> root at pi-dc:~# ntpdate -d -u debian-vb.microlynx.org
> 23 Jul 23:48:59 ntpdate[1876]: ntpdate 4.2.8p10 at 1.3728-o Sat
> Mar 10 18:03:47 UTC
> 2018 (1)
> transmit(192.168.2.6)
> receive(192.168.2.6)
> transmit(192.168.2.6)
> receive(192.168.2.6)
> transmit(192.168.2.6)
> receive(192.168.2.6)
> transmit(192.168.2.6)
> receive(192.168.2.6)
> server 192.168.2.6, port 123
> stratum 2, precision -25, leap 00, trust 000
> refid [192.168.2.6], delay 0.02611, dispersion 0.00000
> transmitted 4, in filter 4
> reference time: df00d7bd.5789fa50 Mon, Jul 23 2018 23:39:57.341
> originate timestamp: df00d9e1.2f172491 Mon, Jul 23 2018 23:49:05.183
> transmit timestamp: df00d9e1.2f162fa4 Mon, Jul 23 2018 23:49:05.183
> filter delay: 0.02623 0.02611 0.02614 0.02621
> 0.00000 0.00000 0.00000 0.00000
> filter offset: -0.00029 -0.00034 -0.00034 -0.00033
> 0.000000 0.000000 0.000000 0.000000
> delay 0.02611, dispersion 0.00000
> offset -0.000345
>
> 23 Jul 23:49:05 ntpdate[1876]: adjust time server 192.168.2.6
> offset -0.000345
> sec
>
> Result the other way:
> root at debian-vb:~# ntpdate -d -u pi-dc.microlynx.org
> 23 Jul 23:51:11 ntpdate[18082]: ntpdate 4.2.8p10 at 1.3728-o Sun
> Feb 25 21:22:56
> UTC 2018 (1)
> transmit(192.168.2.4)
> receive(192.168.2.4)
> transmit(192.168.2.4)
> receive(192.168.2.4)
> transmit(192.168.2.4)
> receive(192.168.2.4)
> transmit(192.168.2.4)
> receive(192.168.2.4)
> server 192.168.2.4, port 123
> stratum 2, precision -22, leap 00, trust 000
> refid [192.168.2.4], delay 0.02605, dispersion 0.00002
> transmitted 4, in filter 4
> reference time: df00d7ae.eb5aa9d1 Mon, Jul 23 2018 23:39:42.919
> originate timestamp: df00da65.41ba9acc Mon, Jul 23 2018 23:51:17.256
> transmit timestamp: df00da65.417e786b Mon, Jul 23 2018 23:51:17.255
> filter delay: 0.02612 0.02605 0.02606 0.02606
> 0.00000 0.00000 0.00000 0.00000
> filter offset: 0.000586 0.000634 0.000598 0.000606
> 0.000000 0.000000 0.000000 0.000000
> delay 0.02605, dispersion 0.00002
> offset 0.000634
>
> 23 Jul 23:51:17 ntpdate[18082]: adjust time server
> 192.168.2.4 offset 0.000634
> sec
>
> I would say the clocks are pretty much the same :-)
>
> Thanks for all your help.
>
> Roy
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
Roy Eastwood
2018-Jul-24 09:32 UTC
[Samba] Failed to establish your Kerberos Ticket cache due time differences with the domain controller
> -----Original Message----- > From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of L.P.H. van > Belle via samba > Sent: 24 July 2018 09:41 > To: samba at lists.samba.org > Subject: Re: [Samba] Failed to establish your Kerberos Ticket cache due time > differences with the domain controller > > I did re-read the whole thread again. > > Im running out of options.. > > When i look at : > https://wiki.samba.org/index.php/PAM_Offline_Authentication > You can do these last checks. > > Run the : Testing offline authentication as show on the wiki.I added winbind offline login = yes to the smb.conf file and restarted samba-ad-dc. But as winbind/winbindd is not started separately I couldn't work out how to take winbind offline. "smbcontrol winbind offline" doesn't seem to do anything.> > Debian normaly does not have /etc/security/pam_winbind.conf, check if its there > if so backup it remove it. >No it's not present.> Check if these packages are installed. > libpam-krb5 > libpam-winbind > libnss-winbind >dpkg-query -s reports these are not installed, but samba was compiled from sources and libnss_winbind.so.2 links are in place, as is also the link for pam.winbind.so: root at pi-dc:~# ls -l /lib/arm-linux-gnueabihf/libnss_winbind* lrwxrwxrwx 1 root root 44 Jul 21 00:26 /lib/arm-linux-gnueabihf/libnss_winbind.so -> /lib/arm-linux-gnueabihf/libnss_winbind.so.2 lrwxrwxrwx 1 root root 40 Jul 21 00:26 /lib/arm-linux-gnueabihf/libnss_winbind.so.2 -> /usr/local/samba/lib/libnss_winbind.so.2 root at pi-dc:~# ls -l /lib/arm-linux-gnueabihf/security/pam_winbind* lrwxrwxrwx 1 root root 44 Jul 21 08:23 /lib/arm-linux-gnueabihf/security/pam_winbind.so -> /usr/local/samba/lib/security/pam_winbind.so> Now edit : > /usr/share/pam-configs/winbind > > And change it to : (see debug debug_state) > Auth: > [success=end default=ignore] pam_winbind.so krb5_auth > krb5_ccache_type=FILE cached_login try_first_pass debug debug_state > Auth-Initial: > [success=end default=ignore] pam_winbind.so krb5_auth > krb5_ccache_type=FILE cached_login debug debug_state > > > Run : pam-auth-update > And login again. > > Lets see what you get of that debug output. >OK, after making the changes to /usr/share/pam-configs/winbind and running pam-auth-update and logging in as AD user roy, auth.log has this: Jul 24 10:13:18 pi-dc sshd[865]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.240 user=roy Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] ENTER: pam_sm_authenticate (flags: 0x0001) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] STATE: ITEM(PAM_SERVICE) = "sshd" (0x10226f8) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] STATE: ITEM(PAM_USER) = "roy" (0x1021aa8) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] STATE: ITEM(PAM_TTY) = "ssh" (0x102c040) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] STATE: ITEM(PAM_RHOST) = "192.168.2.240" (0x102c028) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] STATE: ITEM(PAM_AUTHTOK) = 0x1021ab8 Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] STATE: ITEM(PAM_CONV) = 0x102c068 Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): getting password (0x00001389) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): pam_get_item returned a password Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): Verify user 'roy' Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): PAM config: krb5_ccache_type 'FILE' Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): enabling krb5 login flag Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): enabling cached login flag Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): enabling request for a FILE krb5 ccache Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): request wbcLogonUser succeeded Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): user 'roy' granted access Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): User roy: Clock skew when getting Krb5 TGT Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): Returned user was 'MICROLYNX\roy' Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] LEAVE: pam_sm_authenticate returning 0 (PAM_SUCCESS) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] STATE: ITEM(PAM_SERVICE) = "sshd" (0x10226f8) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] STATE: ITEM(PAM_USER) = "MICROLYNX\roy" (0x1024808) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] STATE: ITEM(PAM_TTY) = "ssh" (0x102c040) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] STATE: ITEM(PAM_RHOST) = "192.168.2.240" (0x102c028) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] STATE: ITEM(PAM_AUTHTOK) = 0x1021ab8 Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] STATE: ITEM(PAM_CONV) = 0x102c068 Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] STATE: DATA(PAM_WINBIND_HOMEDIR) = "\\lion-x99\users\roy" (0x102e340) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] STATE: DATA(PAM_WINBIND_LOGONSERVER) = "PI-DC" (0x102e3a8) Jul 24 10:13:18 pi-dc sshd[865]: Accepted password for roy from 192.168.2.240 port 59748 ssh2 Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] ENTER: pam_sm_setcred (flags: 0x0002) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_SERVICE) = "sshd" (0x10226f8) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_USER) = "MICROLYNX\roy" (0x1024808) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_TTY) = "ssh" (0x102c040) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_RHOST) = "192.168.2.240" (0x102c028) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_CONV) = 0x101f128 Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: DATA(PAM_WINBIND_HOMEDIR) = "\\lion-x99\users\roy" (0x102e340) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: DATA(PAM_WINBIND_LOGONSERVER) = "PI-DC" (0x102e3a8) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): PAM_ESTABLISH_CRED not implemented Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] LEAVE: pam_sm_setcred returning 0 (PAM_SUCCESS) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_SERVICE) = "sshd" (0x10226f8) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_USER) = "MICROLYNX\roy" (0x1024808) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_TTY) = "ssh" (0x102c040) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_RHOST) = "192.168.2.240" (0x102c028) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_CONV) = 0x101f128 Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: DATA(PAM_WINBIND_HOMEDIR) = "\\lion-x99\users\roy" (0x102e340) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: DATA(PAM_WINBIND_LOGONSERVER) = "PI-DC" (0x102e3a8) Jul 24 10:13:18 pi-dc sshd[865]: pam_unix(sshd:session): session opened for user MICROLYNX\roy by (uid=0) Jul 24 10:13:19 pi-dc systemd-logind[293]: New session c8 of user MICROLYNX\roy. Jul 24 10:13:19 pi-dc systemd: pam_unix(systemd-user:session): session opened for user MICROLYNX\roy by (uid=0) Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] ENTER: pam_sm_setcred (flags: 0x0002) Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_SERVICE) = "sshd" (0x10226f8) Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_USER) = "MICROLYNX\roy" (0x1024808) Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_TTY) = "ssh" (0x102c040) Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_RHOST) = "192.168.2.240" (0x102c028) Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_CONV) = 0x101f4d0 Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: DATA(PAM_WINBIND_HOMEDIR) = "\\lion-x99\users\roy" (0x102e340) Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: DATA(PAM_WINBIND_LOGONSERVER) = "PI-DC" (0x102e3a8) Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): PAM_ESTABLISH_CRED not implemented Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] LEAVE: pam_sm_setcred returning 0 (PAM_SUCCESS) Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_SERVICE) = "sshd" (0x10226f8) Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_USER) = "MICROLYNX\roy" (0x1024808) Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_TTY) = "ssh" (0x102c040) Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_RHOST) = "192.168.2.240" (0x102c028) Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_CONV) = 0x101f4d0 Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: DATA(PAM_WINBIND_HOMEDIR) = "\\lion-x99\users\roy" (0x102e340) Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: DATA(PAM_WINBIND_LOGONSERVER) = "PI-DC" (0x102e3a8) HTH Roy
Rowland Penny
2018-Jul-24 09:50 UTC
[Samba] Failed to establish your Kerberos Ticket cache due time differences with the domain controller
On Tue, 24 Jul 2018 10:32:32 +0100 Roy Eastwood via samba <samba at lists.samba.org> wrote:> > > > -----Original Message----- > > From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of > > L.P.H. van Belle via samba > > Sent: 24 July 2018 09:41 > > To: samba at lists.samba.org > > Subject: Re: [Samba] Failed to establish your Kerberos Ticket cache > > due time differences with the domain controller > > > > I did re-read the whole thread again. > > > > Im running out of options.. > > > > When i look at : > > https://wiki.samba.org/index.php/PAM_Offline_Authentication > > You can do these last checks. > > > > Run the : Testing offline authentication as show on the wiki. > > I added winbind offline login = yes to the smb.conf file and > restarted samba-ad-dc. But as winbind/winbindd is not started > separately I couldn't work out how to take winbind offline. > "smbcontrol winbind offline" doesn't seem to do anything. >Adding that line to a DC does not make sense, it is only any use on something like a laptop, these have been known to wander away from the domain ;-) A DC cannot wander away from itself.> > > Check if these packages are installed. > > libpam-krb5Install this package, it isn't part of Samba Rowland