Re: [Samba] Clock skew and net ads join problem

[Clint Sharp]

Sahibzada Junaid Noor wrote:
HI,
  when i try to execute the kinit command on my Red
hat 9 system with samba 3 i get the following error
[EMAIL PROTECTED] root]# kinit [EMAIL PROTECTED]
Password for [EMAIL PROTECTED]:
kinit(v5): Clock skew too great while getting initial
  credentials
so how do i solve the clock skew problem cause i have
checked the time on both of them it is the same. 

the net ads join command doesnt give any error but i
still see nothing in the active directory computers
list
also should the smbd, nmbd and winbind be running when
i am running the commands 
    kinit 
     and 
 net ads join?

here is the global section of my smb.conf
workgroup = MYGROUP
server string = Samba Server
printcap name = /etc/printcap
load printers = yes
log file = /var/log/samba/smbd.log
max log size = 50
realm = NIIT.EDU.PK
security = ADS
password server = 10.10.11.1(IP of the machine running
Active directory)
encrypt passwords = yes
dns proxy = no
And here is my krb5.conf. 

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
 

[libdefaults]
ticket_lifetime = 24000
default_realm = NIIT.EDU.PK
dns_lookup_realm = false
dns_lookup_kdc = false
forwardable = true
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
[realms]
NIIT.EDU.PK = {
 kdc = mnsvr.niit.edu.pk:88
 admin_server = mnsvr.niit.edu.pk:749
 default_domain = niit.edu.pk
}
[domain_realm]
.niit.edu.com = NIIT.EDU.PK
niit.edu.pk = NIIT.EDU.PK
                                                     
                                         
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
afs_salt = NIIT.EDU.PK
                                                     
                                         
[appdefaults]
pam = {
  debug = false
  ticket_lifetime = 36000
  renew_lifetime = 36000
  forwardable = true
  krb4_convert = false
}

plz help me with the skew problem cause i have checked
the time on both linux and domain controllers they are
the same.
also the net ads join command doesnt give any error
but still i cannot see the machine in the AD computers
list.
and should the three samba daemons be running when i
execute the kinit and net ads join commands?

 

=====
 Sahibzada Junaid Noor  
 Ph   #  (+92) (051) 5950 940
 Cell #   (+92) (0333) 5223586
 Qazi plaza,Third Floor,Commerical Market,Chaklala Scheme 3,
 Rawalpindi
 Islamic Republic of Pakistan 

 

Have you verified the timezones are identical and that one isn't set to 
PM while the other is AM?  In my experience the only times I've received 
errors of this kind, either in Windows or from kerberos is when the 
timezones are set incorrectly or I had accidently set the clock to AM or 
PM when it should have been the other.  Also, are you using some sort of 
time sychronization (NTP preferably)?

Clint
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba