[K12OSN] kinit: clock skew too great
pxeboot at gmail.com
Wed Apr 4 22:31:27 UTC 2007
This error means that the time on the kerberos client is out of synch with
kerberos server. The kerberos server in this case is your AD controller. I
believe, by default, the kerberos server will refuse to issue tickets if
the clocks are out of synch by more than 5 minutes.
To avoid this problem, you should use the AD controller as the primary ntp
source for all AD members. This way your clients are always in synch with
the AD controller. To automate this, I setup cron jobs on all Linux AD
member servers to execute the following:
# /sbin/service ntpd stop; /usr/sbin/ntpdate <ip address of AD server>;
/sbin/service ntpd start
The command above stops the ntpd daemon, updates the system time with AD
controller then restarts ntpd daemon.
On 4/4/07, cisna-barry at wc235.k12.il.us <cisna-barry at wc235.k12.il.us> wrote:
> Hello All,
> Still wrangling with the clock skew too great problem. I have double
> checked again,all the servers hardware and system times,& all are within
> 2 mins of one another. and have found that if i try to rejoin, all the
> K12ltsp servers to our domain, I am getting this error message. Another
> thing i have noticed is( I use the "Bind to domain" facility), built in
> Webmin. after the try to join AD domain, It returns: '
> get_service_ticket: kerberos_kinit_password WCFILE$@DOMAIN at DOMAIN failed:
> Clock skew too great ' . Notice the TWO @DOMAIN entries. i dont remember
> seeing this, when joining to domain before?
> Anyone have any ideas?
> Barry Cisna
> K12OSN mailing list
> K12OSN at redhat.com
> For more info see <http://www.k12os.org>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the K12OSN