L.P.H. van Belle
2018-Jul-24 08:40 UTC
[Samba] Failed to establish your Kerberos Ticket cache due time differences with the domain controller
I did re-read the whole thread again. Im running out of options.. When i look at : https://wiki.samba.org/index.php/PAM_Offline_Authentication You can do these last checks. Run the : Testing offline authentication as show on the wiki. Debian normaly does not have /etc/security/pam_winbind.conf, check if its there if so backup it remove it. Check if these packages are installed. libpam-krb5 libpam-winbind libnss-winbind Now edit : /usr/share/pam-configs/winbind And change it to : (see debug debug_state) Auth: [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass debug debug_state Auth-Initial: [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login debug debug_state Run : pam-auth-update And login again. Lets see what you get of that debug output. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Roy > Eastwood via samba > Verzonden: dinsdag 24 juli 2018 0:54 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Failed to establish your Kerberos > Ticket cache due time differences with the domain controller > > > > As roy (after logging in and getting the message: > > > Failed to establish your Kerberos Ticket cache due time > differences > > > with the domain controller. Please verify the system time. > > > > OK, I know where the message is coming from ;-) > > > > samba-master/nsswitch/pam_winbind.c > > > > line 1441 > > > > static void _pam_warn_krb5_failure(struct pwb_context *ctx, > > const char *username, > > uint32_t info3_user_flgs) > > { > > if (PAM_WB_KRB5_CLOCK_SKEW(info3_user_flgs)) { > > _make_remark(ctx, PAM_ERROR_MSG, > > _("Failed to establish your > Kerberos Ticket cache " > > "due time differences\n" > > "with the domain controller. " > > "Please verify the system time.\n")); > > _pam_log_debug(ctx, LOG_DEBUG, > > "User %s: Clock skew when > getting Krb5 TGT\n", > > username); > > } > > } > > > > So it looks like you must have some difference in time > between the two > > DC's > > Try installing ntpdate on each DC and then run on each DC: > > > > ntpdate -d -u 'FQDN of other DC' > > > > You should get a very low 'offset', it is in seconds > > > > Rowland > > Ok, done that and the result on pi-dc: > root at pi-dc:~# ntpdate -d -u debian-vb.microlynx.org > 23 Jul 23:48:59 ntpdate[1876]: ntpdate 4.2.8p10 at 1.3728-o Sat > Mar 10 18:03:47 UTC > 2018 (1) > transmit(192.168.2.6) > receive(192.168.2.6) > transmit(192.168.2.6) > receive(192.168.2.6) > transmit(192.168.2.6) > receive(192.168.2.6) > transmit(192.168.2.6) > receive(192.168.2.6) > server 192.168.2.6, port 123 > stratum 2, precision -25, leap 00, trust 000 > refid [192.168.2.6], delay 0.02611, dispersion 0.00000 > transmitted 4, in filter 4 > reference time: df00d7bd.5789fa50 Mon, Jul 23 2018 23:39:57.341 > originate timestamp: df00d9e1.2f172491 Mon, Jul 23 2018 23:49:05.183 > transmit timestamp: df00d9e1.2f162fa4 Mon, Jul 23 2018 23:49:05.183 > filter delay: 0.02623 0.02611 0.02614 0.02621 > 0.00000 0.00000 0.00000 0.00000 > filter offset: -0.00029 -0.00034 -0.00034 -0.00033 > 0.000000 0.000000 0.000000 0.000000 > delay 0.02611, dispersion 0.00000 > offset -0.000345 > > 23 Jul 23:49:05 ntpdate[1876]: adjust time server 192.168.2.6 > offset -0.000345 > sec > > Result the other way: > root at debian-vb:~# ntpdate -d -u pi-dc.microlynx.org > 23 Jul 23:51:11 ntpdate[18082]: ntpdate 4.2.8p10 at 1.3728-o Sun > Feb 25 21:22:56 > UTC 2018 (1) > transmit(192.168.2.4) > receive(192.168.2.4) > transmit(192.168.2.4) > receive(192.168.2.4) > transmit(192.168.2.4) > receive(192.168.2.4) > transmit(192.168.2.4) > receive(192.168.2.4) > server 192.168.2.4, port 123 > stratum 2, precision -22, leap 00, trust 000 > refid [192.168.2.4], delay 0.02605, dispersion 0.00002 > transmitted 4, in filter 4 > reference time: df00d7ae.eb5aa9d1 Mon, Jul 23 2018 23:39:42.919 > originate timestamp: df00da65.41ba9acc Mon, Jul 23 2018 23:51:17.256 > transmit timestamp: df00da65.417e786b Mon, Jul 23 2018 23:51:17.255 > filter delay: 0.02612 0.02605 0.02606 0.02606 > 0.00000 0.00000 0.00000 0.00000 > filter offset: 0.000586 0.000634 0.000598 0.000606 > 0.000000 0.000000 0.000000 0.000000 > delay 0.02605, dispersion 0.00002 > offset 0.000634 > > 23 Jul 23:51:17 ntpdate[18082]: adjust time server > 192.168.2.4 offset 0.000634 > sec > > I would say the clocks are pretty much the same :-) > > Thanks for all your help. > > Roy > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Roy Eastwood
2018-Jul-24 09:32 UTC
[Samba] Failed to establish your Kerberos Ticket cache due time differences with the domain controller
> -----Original Message----- > From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of L.P.H. van > Belle via samba > Sent: 24 July 2018 09:41 > To: samba at lists.samba.org > Subject: Re: [Samba] Failed to establish your Kerberos Ticket cache due time > differences with the domain controller > > I did re-read the whole thread again. > > Im running out of options.. > > When i look at : > https://wiki.samba.org/index.php/PAM_Offline_Authentication > You can do these last checks. > > Run the : Testing offline authentication as show on the wiki.I added winbind offline login = yes to the smb.conf file and restarted samba-ad-dc. But as winbind/winbindd is not started separately I couldn't work out how to take winbind offline. "smbcontrol winbind offline" doesn't seem to do anything.> > Debian normaly does not have /etc/security/pam_winbind.conf, check if its there > if so backup it remove it. >No it's not present.> Check if these packages are installed. > libpam-krb5 > libpam-winbind > libnss-winbind >dpkg-query -s reports these are not installed, but samba was compiled from sources and libnss_winbind.so.2 links are in place, as is also the link for pam.winbind.so: root at pi-dc:~# ls -l /lib/arm-linux-gnueabihf/libnss_winbind* lrwxrwxrwx 1 root root 44 Jul 21 00:26 /lib/arm-linux-gnueabihf/libnss_winbind.so -> /lib/arm-linux-gnueabihf/libnss_winbind.so.2 lrwxrwxrwx 1 root root 40 Jul 21 00:26 /lib/arm-linux-gnueabihf/libnss_winbind.so.2 -> /usr/local/samba/lib/libnss_winbind.so.2 root at pi-dc:~# ls -l /lib/arm-linux-gnueabihf/security/pam_winbind* lrwxrwxrwx 1 root root 44 Jul 21 08:23 /lib/arm-linux-gnueabihf/security/pam_winbind.so -> /usr/local/samba/lib/security/pam_winbind.so> Now edit : > /usr/share/pam-configs/winbind > > And change it to : (see debug debug_state) > Auth: > [success=end default=ignore] pam_winbind.so krb5_auth > krb5_ccache_type=FILE cached_login try_first_pass debug debug_state > Auth-Initial: > [success=end default=ignore] pam_winbind.so krb5_auth > krb5_ccache_type=FILE cached_login debug debug_state > > > Run : pam-auth-update > And login again. > > Lets see what you get of that debug output. >OK, after making the changes to /usr/share/pam-configs/winbind and running pam-auth-update and logging in as AD user roy, auth.log has this: Jul 24 10:13:18 pi-dc sshd[865]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.240 user=roy Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] ENTER: pam_sm_authenticate (flags: 0x0001) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] STATE: ITEM(PAM_SERVICE) = "sshd" (0x10226f8) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] STATE: ITEM(PAM_USER) = "roy" (0x1021aa8) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] STATE: ITEM(PAM_TTY) = "ssh" (0x102c040) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] STATE: ITEM(PAM_RHOST) = "192.168.2.240" (0x102c028) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] STATE: ITEM(PAM_AUTHTOK) = 0x1021ab8 Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] STATE: ITEM(PAM_CONV) = 0x102c068 Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): getting password (0x00001389) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): pam_get_item returned a password Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): Verify user 'roy' Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): PAM config: krb5_ccache_type 'FILE' Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): enabling krb5 login flag Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): enabling cached login flag Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): enabling request for a FILE krb5 ccache Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): request wbcLogonUser succeeded Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): user 'roy' granted access Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): User roy: Clock skew when getting Krb5 TGT Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): Returned user was 'MICROLYNX\roy' Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] LEAVE: pam_sm_authenticate returning 0 (PAM_SUCCESS) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] STATE: ITEM(PAM_SERVICE) = "sshd" (0x10226f8) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] STATE: ITEM(PAM_USER) = "MICROLYNX\roy" (0x1024808) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] STATE: ITEM(PAM_TTY) = "ssh" (0x102c040) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] STATE: ITEM(PAM_RHOST) = "192.168.2.240" (0x102c028) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] STATE: ITEM(PAM_AUTHTOK) = 0x1021ab8 Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] STATE: ITEM(PAM_CONV) = 0x102c068 Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] STATE: DATA(PAM_WINBIND_HOMEDIR) = "\\lion-x99\users\roy" (0x102e340) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] STATE: DATA(PAM_WINBIND_LOGONSERVER) = "PI-DC" (0x102e3a8) Jul 24 10:13:18 pi-dc sshd[865]: Accepted password for roy from 192.168.2.240 port 59748 ssh2 Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] ENTER: pam_sm_setcred (flags: 0x0002) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_SERVICE) = "sshd" (0x10226f8) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_USER) = "MICROLYNX\roy" (0x1024808) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_TTY) = "ssh" (0x102c040) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_RHOST) = "192.168.2.240" (0x102c028) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_CONV) = 0x101f128 Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: DATA(PAM_WINBIND_HOMEDIR) = "\\lion-x99\users\roy" (0x102e340) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: DATA(PAM_WINBIND_LOGONSERVER) = "PI-DC" (0x102e3a8) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): PAM_ESTABLISH_CRED not implemented Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] LEAVE: pam_sm_setcred returning 0 (PAM_SUCCESS) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_SERVICE) = "sshd" (0x10226f8) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_USER) = "MICROLYNX\roy" (0x1024808) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_TTY) = "ssh" (0x102c040) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_RHOST) = "192.168.2.240" (0x102c028) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_CONV) = 0x101f128 Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: DATA(PAM_WINBIND_HOMEDIR) = "\\lion-x99\users\roy" (0x102e340) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: DATA(PAM_WINBIND_LOGONSERVER) = "PI-DC" (0x102e3a8) Jul 24 10:13:18 pi-dc sshd[865]: pam_unix(sshd:session): session opened for user MICROLYNX\roy by (uid=0) Jul 24 10:13:19 pi-dc systemd-logind[293]: New session c8 of user MICROLYNX\roy. Jul 24 10:13:19 pi-dc systemd: pam_unix(systemd-user:session): session opened for user MICROLYNX\roy by (uid=0) Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] ENTER: pam_sm_setcred (flags: 0x0002) Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_SERVICE) = "sshd" (0x10226f8) Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_USER) = "MICROLYNX\roy" (0x1024808) Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_TTY) = "ssh" (0x102c040) Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_RHOST) = "192.168.2.240" (0x102c028) Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_CONV) = 0x101f4d0 Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: DATA(PAM_WINBIND_HOMEDIR) = "\\lion-x99\users\roy" (0x102e340) Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: DATA(PAM_WINBIND_LOGONSERVER) = "PI-DC" (0x102e3a8) Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): PAM_ESTABLISH_CRED not implemented Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] LEAVE: pam_sm_setcred returning 0 (PAM_SUCCESS) Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_SERVICE) = "sshd" (0x10226f8) Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_USER) = "MICROLYNX\roy" (0x1024808) Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_TTY) = "ssh" (0x102c040) Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_RHOST) = "192.168.2.240" (0x102c028) Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_CONV) = 0x101f4d0 Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: DATA(PAM_WINBIND_HOMEDIR) = "\\lion-x99\users\roy" (0x102e340) Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: DATA(PAM_WINBIND_LOGONSERVER) = "PI-DC" (0x102e3a8) HTH Roy
Rowland Penny
2018-Jul-24 09:50 UTC
[Samba] Failed to establish your Kerberos Ticket cache due time differences with the domain controller
On Tue, 24 Jul 2018 10:32:32 +0100 Roy Eastwood via samba <samba at lists.samba.org> wrote:> > > > -----Original Message----- > > From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of > > L.P.H. van Belle via samba > > Sent: 24 July 2018 09:41 > > To: samba at lists.samba.org > > Subject: Re: [Samba] Failed to establish your Kerberos Ticket cache > > due time differences with the domain controller > > > > I did re-read the whole thread again. > > > > Im running out of options.. > > > > When i look at : > > https://wiki.samba.org/index.php/PAM_Offline_Authentication > > You can do these last checks. > > > > Run the : Testing offline authentication as show on the wiki. > > I added winbind offline login = yes to the smb.conf file and > restarted samba-ad-dc. But as winbind/winbindd is not started > separately I couldn't work out how to take winbind offline. > "smbcontrol winbind offline" doesn't seem to do anything. >Adding that line to a DC does not make sense, it is only any use on something like a laptop, these have been known to wander away from the domain ;-) A DC cannot wander away from itself.> > > Check if these packages are installed. > > libpam-krb5Install this package, it isn't part of Samba Rowland
Possibly Parallel Threads
- Failed to establish your Kerberos Ticket cache due time differences with the domain controller
- Failed to establish your Kerberos Ticket cache due time differences with the domain controller
- Failed to establish your Kerberos Ticket cache due time differences with the domain controller
- Failed to establish your Kerberos Ticket cache due time differences with the domain controller
- Failed to establish your Kerberos Ticket cache due time differences with the domain controller