Can't login to Domain after

[Lebowski]

Hi,

I set up Zentyal as a primary Domaincontroller for Windows XP-Clients. I could join the domain successfully, but after some time (without making any changes), when i want to login into a windows-client i get the alert

Username or password incorrect. Check username password and domain and try again.

If i restart all zentyal moduls, everything works fine for a while, until the problem occurs again.

This are the lines in the /var/log/samba/samba.log (adams is the user, ACME.INTERN the Domain and winclient the name of the windows XP client.

Code: [Select]

[2012/12/22 02:32:36,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ adams@ACME from ipv4:10.0.2.150:1302 for krbtgt/ACME@ACME
[2012/12/22 02:32:36,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client sent patypes: ENC-TS, 128
[2012/12/22 02:32:36,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for PK-INIT(ietf) pa-data -- adams@ACME
[2012/12/22 02:32:36,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for PK-INIT(win2k) pa-data -- adams@ACME
[2012/12/22 02:32:36,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for ENC-TS pa-data -- adams@ACME
[2012/12/22 02:32:36,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Too large time skew, client time 2012-12-22T11:15:51 is out by 31395 > 300 seconds -- adams@ACME
[2012/12/22 02:32:36,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
[2012/12/22 02:32:36,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ adams@ACME from ipv4:10.0.2.150:1303 for krbtgt/ACME@ACME
[2012/12/22 02:32:36,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client sent patypes: ENC-TS, 128
[2012/12/22 02:32:36,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for PK-INIT(ietf) pa-data -- adams@ACME
[2012/12/22 02:32:36,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for PK-INIT(win2k) pa-data -- adams@ACME
[2012/12/22 02:32:36,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for ENC-TS pa-data -- adams@ACME
[2012/12/22 02:32:36,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Too large time skew, client time 2012-12-22T11:15:51 is out by 31395 > 300 seconds -- adams@ACME
[2012/12/22 02:32:36,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ


Thank you

[Lebowski]

Hi

all in all it was a time-problem. I had a wrong configured hardware-clock.

 Using Kerberos, there is a maximum allowed time skew , authentication take place.

Windows operating systems include the Time Service tool (W32Time service) that is used by the Kerberos authentication protocol. Kerberos authentication will work if the time interval between the relevant computers is within the maximum enabled time skew. The default is 5 minutes. You can also turn off the Time Service tool. Then, you can install a third-party time service

This is the whole article: http://support.microsoft.com/kb/884776/en-us

[robb]

You can set up any windows client using ntp to sync time. Zentyal has an ntp module. So the easiest way would be using zentyal has ntp server.