[K12OSN] kinit: clock skew too great

[Conrad Lawes]

This error means that the time on the kerberos client is out of synch with
kerberos server.  The kerberos server in this case is your AD controller.  I
believe, by default, the kerberos server will refuse to issue  tickets if
the clocks are out of synch by more than 5 minutes.

To avoid this problem, you should use the AD controller as the primary ntp
source for all AD members. This way your clients are always in synch with
the AD controller.  To automate this, I  setup  cron jobs  on all Linux AD
member servers to execute the following:

# /sbin/service ntpd stop; /usr/sbin/ntpdate <ip address of AD server>;
/sbin/service ntpd start

The command above stops the ntpd daemon, updates the system time  with AD
controller then restarts ntpd daemon.


On 4/4/07, cisna-barry at wc235.k12.il.us <cisna-barry at wc235.k12.il.us> wrote:
>
> Hello All,
>
> Still wrangling with the clock skew too great problem. I have double
> checked again,all the servers hardware and system times,& all are within
> 2 mins of one another. and have found that if i try to rejoin, all the
> K12ltsp servers to our domain, I am getting this error message. Another
> thing i have noticed is( I use the "Bind to domain" facility), built in
> Webmin. after the try to join AD domain, It returns: '
> get_service_ticket: kerberos_kinit_password WCFILE$@DOMAIN at DOMAIN failed:
> Clock skew too great ' . Notice the TWO @DOMAIN entries. i dont remember
> seeing this, when joining to domain before?
> Anyone have any ideas?
>
> Thanks,
>
> Barry Cisna
>
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
>



-- 
Regards,
Conrad Lawes
PXE Guru
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/k12osn/attachments/20070404/fcb7cc53/attachment.htm>