[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] kinit: clock skew too great

This error means that the time on the kerberos client is out of synch with kerberos server.  The kerberos server in this case is your AD controller.  I believe, by default, the kerberos server will refuse to issue  tickets if the clocks are out of synch by more than 5 minutes.
To avoid this problem, you should use the AD controller as the primary ntp source for all AD members. This way your clients are always in synch with the AD controller.  To automate this, I  setup  cron jobs  on all Linux AD member servers to execute the following:
# /sbin/service ntpd stop; /usr/sbin/ntpdate <ip address of AD server>; /sbin/service ntpd start
The command above stops the ntpd daemon, updates the system time  with AD controller then restarts ntpd daemon.

On 4/4/07, cisna-barry wc235 k12 il us <cisna-barry wc235 k12 il us > wrote:
Hello All,

Still wrangling with the clock skew too great problem. I have double
checked again,all the servers hardware and system times,& all are within
2 mins of one another. and have found that if i try to rejoin, all the
K12ltsp servers to our domain, I am getting this error message. Another
thing i have noticed is( I use the "Bind to domain" facility), built in
Webmin. after the try to join AD domain, It returns: '
get_service_ticket: kerberos_kinit_password WCFILE$ DOMAIN@DOMAIN failed:
Clock skew too great ' . Notice the TWO @DOMAIN entries. i dont remember
seeing this, when joining to domain before?
Anyone have any ideas?


Barry Cisna

K12OSN mailing list
K12OSN redhat com
For more info see <http://www.k12os.org>

Conrad Lawes
PXE Guru
[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]