samba - Jul 2018 - Failed to establish your Kerberos Ticket cache due time differences with the domain controller

I did re-read the whole thread again. 

Im running out of options.. 

When i look at : 
https://wiki.samba.org/index.php/PAM_Offline_Authentication 
You can do these last checks. 

Run the :  Testing offline authentication as show on the wiki. 

Debian normaly does not have /etc/security/pam_winbind.conf, check if its there
if so backup it remove it.

Check if these packages are installed. 
libpam-krb5
libpam-winbind
libnss-winbind 

Now edit : 
/usr/share/pam-configs/winbind 

And change it to : (see debug debug_state)
Auth:
        [success=end default=ignore]    pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login try_first_pass debug debug_state
Auth-Initial:
        [success=end default=ignore]    pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login debug debug_state


Run : pam-auth-update 
And login again. 

Lets see what you get of that debug output. 



Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Roy 
> Eastwood via samba
> Verzonden: dinsdag 24 juli 2018 0:54
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Failed to establish your Kerberos 
> Ticket cache due time differences with the domain controller
> 
> > > As roy (after logging in and getting the message:
> > > Failed to establish your Kerberos Ticket cache due time 
> differences
> > > with the domain controller.  Please verify the system time.
> > 
> > OK, I know where the message is coming from ;-)
> > 
> > samba-master/nsswitch/pam_winbind.c
> > 
> > line 1441
> > 
> > static void _pam_warn_krb5_failure(struct pwb_context *ctx,
> > 				   const char *username,
> > 				   uint32_t info3_user_flgs)
> > {
> > 	if (PAM_WB_KRB5_CLOCK_SKEW(info3_user_flgs)) {
> > 		_make_remark(ctx, PAM_ERROR_MSG,
> > 			     _("Failed to establish your 
> Kerberos Ticket cache "
> > 			       "due time differences\n"
> > 			       "with the domain controller.  "
> > 			       "Please verify the system time.\n"));
> > 		_pam_log_debug(ctx, LOG_DEBUG,
> > 			       "User %s: Clock skew when 
> getting Krb5 TGT\n",
> > 			       username);
> > 	}
> > }
> > 
> > So it looks like you must have some difference in time 
> between the two
> > DC's
> > Try installing ntpdate on each DC and then run on each DC:
> > 
> > ntpdate -d -u 'FQDN of other DC'
> > 
> > You should get a very low 'offset', it is in seconds
> > 
> > Rowland
> 
> Ok, done that and the result on pi-dc:
> root at pi-dc:~# ntpdate -d -u debian-vb.microlynx.org
> 23 Jul 23:48:59 ntpdate[1876]: ntpdate 4.2.8p10 at 1.3728-o Sat 
> Mar 10 18:03:47 UTC
> 2018 (1)
> transmit(192.168.2.6)
> receive(192.168.2.6)
> transmit(192.168.2.6)
> receive(192.168.2.6)
> transmit(192.168.2.6)
> receive(192.168.2.6)
> transmit(192.168.2.6)
> receive(192.168.2.6)
> server 192.168.2.6, port 123
> stratum 2, precision -25, leap 00, trust 000
> refid [192.168.2.6], delay 0.02611, dispersion 0.00000
> transmitted 4, in filter 4
> reference time:    df00d7bd.5789fa50  Mon, Jul 23 2018 23:39:57.341
> originate timestamp: df00d9e1.2f172491  Mon, Jul 23 2018 23:49:05.183
> transmit timestamp:  df00d9e1.2f162fa4  Mon, Jul 23 2018 23:49:05.183
> filter delay:  0.02623  0.02611  0.02614  0.02621
>          0.00000  0.00000  0.00000  0.00000
> filter offset: -0.00029 -0.00034 -0.00034 -0.00033
>          0.000000 0.000000 0.000000 0.000000
> delay 0.02611, dispersion 0.00000
> offset -0.000345
> 
> 23 Jul 23:49:05 ntpdate[1876]: adjust time server 192.168.2.6 
> offset -0.000345
> sec
> 
> Result the other way:
> root at debian-vb:~# ntpdate -d -u pi-dc.microlynx.org
> 23 Jul 23:51:11 ntpdate[18082]: ntpdate 4.2.8p10 at 1.3728-o Sun 
> Feb 25 21:22:56
> UTC 2018 (1)
> transmit(192.168.2.4)
> receive(192.168.2.4)
> transmit(192.168.2.4)
> receive(192.168.2.4)
> transmit(192.168.2.4)
> receive(192.168.2.4)
> transmit(192.168.2.4)
> receive(192.168.2.4)
> server 192.168.2.4, port 123
> stratum 2, precision -22, leap 00, trust 000
> refid [192.168.2.4], delay 0.02605, dispersion 0.00002
> transmitted 4, in filter 4
> reference time:    df00d7ae.eb5aa9d1  Mon, Jul 23 2018 23:39:42.919
> originate timestamp: df00da65.41ba9acc  Mon, Jul 23 2018 23:51:17.256
> transmit timestamp:  df00da65.417e786b  Mon, Jul 23 2018 23:51:17.255
> filter delay:  0.02612  0.02605  0.02606  0.02606
>          0.00000  0.00000  0.00000  0.00000
> filter offset: 0.000586 0.000634 0.000598 0.000606
>          0.000000 0.000000 0.000000 0.000000
> delay 0.02605, dispersion 0.00002
> offset 0.000634
> 
> 23 Jul 23:51:17 ntpdate[18082]: adjust time server 
> 192.168.2.4 offset 0.000634
> sec
> 
> I would say the clocks are pretty much the same :-)
> 
> Thanks for all your help.
> 
> Roy
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

> -----Original Message-----
> From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of L.P.H.
van
> Belle via samba
> Sent: 24 July 2018 09:41
> To: samba at lists.samba.org
> Subject: Re: [Samba] Failed to establish your Kerberos Ticket cache due
time
> differences with the domain controller
> 
> I did re-read the whole thread again.
> 
> Im running out of options..
> 
> When i look at :
> https://wiki.samba.org/index.php/PAM_Offline_Authentication
> You can do these last checks.
> 
> Run the :  Testing offline authentication as show on the wiki.
I added winbind offline login = yes to the smb.conf file and restarted
samba-ad-dc.   But as winbind/winbindd is not started separately I couldn't
work out how to take winbind offline.   "smbcontrol winbind offline"
doesn't seem to do anything.
> 
> Debian normaly does not have /etc/security/pam_winbind.conf, check if its
there
> if so backup it remove it.
> 
No it's not present.
> Check if these packages are installed.
> libpam-krb5
> libpam-winbind
> libnss-winbind
> 
dpkg-query -s reports these are not installed, but samba was compiled from
sources and libnss_winbind.so.2 links are in place, as is also the link for
pam.winbind.so:
root at pi-dc:~# ls -l /lib/arm-linux-gnueabihf/libnss_winbind*
lrwxrwxrwx 1 root root 44 Jul 21 00:26
/lib/arm-linux-gnueabihf/libnss_winbind.so ->
/lib/arm-linux-gnueabihf/libnss_winbind.so.2
lrwxrwxrwx 1 root root 40 Jul 21 00:26
/lib/arm-linux-gnueabihf/libnss_winbind.so.2 ->
/usr/local/samba/lib/libnss_winbind.so.2

root at pi-dc:~# ls -l /lib/arm-linux-gnueabihf/security/pam_winbind*
lrwxrwxrwx 1 root root 44 Jul 21 08:23
/lib/arm-linux-gnueabihf/security/pam_winbind.so ->
/usr/local/samba/lib/security/pam_winbind.so
> Now edit :
> /usr/share/pam-configs/winbind
> 
> And change it to : (see debug debug_state)
> Auth:
>         [success=end default=ignore]    pam_winbind.so krb5_auth
> krb5_ccache_type=FILE cached_login try_first_pass debug debug_state
> Auth-Initial:
>         [success=end default=ignore]    pam_winbind.so krb5_auth
> krb5_ccache_type=FILE cached_login debug debug_state
> 
> 
> Run : pam-auth-update
> And login again.
> 
> Lets see what you get of that debug output.
> 
OK, after making the changes to /usr/share/pam-configs/winbind  and running
pam-auth-update and logging in as AD user roy, auth.log has this:
Jul 24 10:13:18 pi-dc sshd[865]: pam_unix(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.240  user=roy
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38]
ENTER: pam_sm_authenticate (flags: 0x0001)
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38]
STATE: ITEM(PAM_SERVICE) = "sshd" (0x10226f8)
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38]
STATE: ITEM(PAM_USER) = "roy" (0x1021aa8)
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38]
STATE: ITEM(PAM_TTY) = "ssh" (0x102c040)
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38]
STATE: ITEM(PAM_RHOST) = "192.168.2.240" (0x102c028)
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38]
STATE: ITEM(PAM_AUTHTOK) = 0x1021ab8
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38]
STATE: ITEM(PAM_CONV) = 0x102c068
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): getting password
(0x00001389)
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): pam_get_item returned a
password
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): Verify user
'roy'
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): PAM config:
krb5_ccache_type 'FILE'
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): enabling krb5 login
flag
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): enabling cached login
flag
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): enabling request for a
FILE krb5 ccache
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): request wbcLogonUser
succeeded
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): user 'roy'
granted access
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): User roy: Clock skew
when getting Krb5 TGT
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): Returned user was
'MICROLYNX\roy'
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38]
LEAVE: pam_sm_authenticate returning 0 (PAM_SUCCESS)
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38]
STATE: ITEM(PAM_SERVICE) = "sshd" (0x10226f8)
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38]
STATE: ITEM(PAM_USER) = "MICROLYNX\roy" (0x1024808)
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38]
STATE: ITEM(PAM_TTY) = "ssh" (0x102c040)
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38]
STATE: ITEM(PAM_RHOST) = "192.168.2.240" (0x102c028)
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38]
STATE: ITEM(PAM_AUTHTOK) = 0x1021ab8
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38]
STATE: ITEM(PAM_CONV) = 0x102c068
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38]
STATE: DATA(PAM_WINBIND_HOMEDIR) = "\\lion-x99\users\roy" (0x102e340)
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38]
STATE: DATA(PAM_WINBIND_LOGONSERVER) = "PI-DC" (0x102e3a8)
Jul 24 10:13:18 pi-dc sshd[865]: Accepted password for roy from 192.168.2.240
port 59748 ssh2
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38]
ENTER: pam_sm_setcred (flags: 0x0002)
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38]
STATE: ITEM(PAM_SERVICE) = "sshd" (0x10226f8)
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38]
STATE: ITEM(PAM_USER) = "MICROLYNX\roy" (0x1024808)
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38]
STATE: ITEM(PAM_TTY) = "ssh" (0x102c040)
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38]
STATE: ITEM(PAM_RHOST) = "192.168.2.240" (0x102c028)
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38]
STATE: ITEM(PAM_CONV) = 0x101f128
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38]
STATE: DATA(PAM_WINBIND_HOMEDIR) = "\\lion-x99\users\roy" (0x102e340)
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38]
STATE: DATA(PAM_WINBIND_LOGONSERVER) = "PI-DC" (0x102e3a8)
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): PAM_ESTABLISH_CRED
not implemented
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38]
LEAVE: pam_sm_setcred returning 0 (PAM_SUCCESS)
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38]
STATE: ITEM(PAM_SERVICE) = "sshd" (0x10226f8)
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38]
STATE: ITEM(PAM_USER) = "MICROLYNX\roy" (0x1024808)
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38]
STATE: ITEM(PAM_TTY) = "ssh" (0x102c040)
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38]
STATE: ITEM(PAM_RHOST) = "192.168.2.240" (0x102c028)
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38]
STATE: ITEM(PAM_CONV) = 0x101f128
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38]
STATE: DATA(PAM_WINBIND_HOMEDIR) = "\\lion-x99\users\roy" (0x102e340)
Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38]
STATE: DATA(PAM_WINBIND_LOGONSERVER) = "PI-DC" (0x102e3a8)
Jul 24 10:13:18 pi-dc sshd[865]: pam_unix(sshd:session): session opened for user
MICROLYNX\roy by (uid=0)
Jul 24 10:13:19 pi-dc systemd-logind[293]: New session c8 of user MICROLYNX\roy.
Jul 24 10:13:19 pi-dc systemd: pam_unix(systemd-user:session): session opened
for user MICROLYNX\roy by (uid=0)
Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38]
ENTER: pam_sm_setcred (flags: 0x0002)
Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38]
STATE: ITEM(PAM_SERVICE) = "sshd" (0x10226f8)
Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38]
STATE: ITEM(PAM_USER) = "MICROLYNX\roy" (0x1024808)
Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38]
STATE: ITEM(PAM_TTY) = "ssh" (0x102c040)
Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38]
STATE: ITEM(PAM_RHOST) = "192.168.2.240" (0x102c028)
Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38]
STATE: ITEM(PAM_CONV) = 0x101f4d0
Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38]
STATE: DATA(PAM_WINBIND_HOMEDIR) = "\\lion-x99\users\roy" (0x102e340)
Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38]
STATE: DATA(PAM_WINBIND_LOGONSERVER) = "PI-DC" (0x102e3a8)
Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): PAM_ESTABLISH_CRED
not implemented
Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38]
LEAVE: pam_sm_setcred returning 0 (PAM_SUCCESS)
Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38]
STATE: ITEM(PAM_SERVICE) = "sshd" (0x10226f8)
Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38]
STATE: ITEM(PAM_USER) = "MICROLYNX\roy" (0x1024808)
Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38]
STATE: ITEM(PAM_TTY) = "ssh" (0x102c040)
Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38]
STATE: ITEM(PAM_RHOST) = "192.168.2.240" (0x102c028)
Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38]
STATE: ITEM(PAM_CONV) = 0x101f4d0
Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38]
STATE: DATA(PAM_WINBIND_HOMEDIR) = "\\lion-x99\users\roy" (0x102e340)
Jul 24 10:13:19 pi-dc sshd[884]: pam_winbind(sshd:setcred): [pamh: 0x1022c38]
STATE: DATA(PAM_WINBIND_LOGONSERVER) = "PI-DC" (0x102e3a8)

HTH

Roy

On Tue, 24 Jul 2018 10:32:32 +0100
Roy Eastwood via samba <samba at lists.samba.org> wrote:
> 
> 
> > -----Original Message-----
> > From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of
> > L.P.H. van Belle via samba
> > Sent: 24 July 2018 09:41
> > To: samba at lists.samba.org
> > Subject: Re: [Samba] Failed to establish your Kerberos Ticket cache
> > due time differences with the domain controller
> > 
> > I did re-read the whole thread again.
> > 
> > Im running out of options..
> > 
> > When i look at :
> > https://wiki.samba.org/index.php/PAM_Offline_Authentication
> > You can do these last checks.
> > 
> > Run the :  Testing offline authentication as show on the wiki.
> 
> I added winbind offline login = yes to the smb.conf file and
> restarted samba-ad-dc.   But as winbind/winbindd is not started
> separately I couldn't work out how to take winbind offline.
> "smbcontrol winbind offline" doesn't seem to do anything.
> 
Adding that line to a DC does not make sense, it is only any use on
something like a laptop, these have been known to wander away from the
domain ;-)
A DC cannot wander away from itself.
> 
> > Check if these packages are installed.
> > libpam-krb5
Install this package, it isn't part of Samba

Rowland