Zentyal Forum, Linux Small Business Server
Zentyal Server => Directory and Authentication => Topic started by: mcoa on June 13, 2019, 03:33:28 pm
-
Hello.
I've Zentyal 5.0 and with Samba A/D and DNS, ntp, etc modules. I try add host into DNS service and have error after save and restart service.
2019/06/12 23:22:36 INFO> GlobalImpl.pm:625 EBox::GlobalImpl::saveAllModules - Saving config and restarting services: firewall dns
2019/06/12 23:22:37 INFO> Base.pm:231 EBox::Module::Base::save - Restarting service for module: dns
2019/06/12 23:22:42 INFO> DNS.pm:91 EBox::DNS::appArmorProfiles - Setting DNS apparmor profile
2019/06/12 23:22:46 ERROR> Sudo.pm:240 EBox::Sudo::_rootError - root command kinit -k -t /var/lib/samba/private/dns.keytab dns-zentyal1 failed.
Error output: kinit: krb5_get_init_creds: Clock skew too great
Command output: .
Exit value: 1 at root command kinit -k -t /var/lib/samba/private/dns.keytab dns-zentyal1 failed.
Error output: kinit: krb5_get_init_creds: Clock skew too great
What's wrong?
Thanks
-
Hi!
It signifies that there's not synchronicity on your whole system.
But this is bizarre as far as you have configured your Zentyal as domain controller and this option enables automatically NTP... :o
Do you have some additional domain controller that isn't synchronized ?
Cheers!
-
Hi!
It signifies that there's not synchronicity on your whole system.
But this is bizarre as far as you have configured your Zentyal as domain controller and this option enables automatically NTP... :o
Do you have some additional domain controller that isn't synchronized ?
Cheers!
Hello,
yes i've two additional domain controllers . MMmm,, i see some errors:
root@zentyal1:~# samba-tool drs showrepl 2>&1
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:zentyal1.example.local[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name zentyal1.example.local<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name zentyal1.example.local<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name zentyal1.example.local<0x20>
GSS client Update(krb5)(1) Update failed: Miscellaneous failure (see text): Clock skew too great
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for ldap/zentyal1.example.local failed (next[ntlmssp]): NT_STATUS_LOGON_FAILURE
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
Default-First-Site-Name\ZENTYAL1
DSA Options: 0x00000001
DSA object GUID: 696d9995-8406-408c-82af-9aa254a6d338
DSA invocationId: b0a91b8a-3bd6-4489-b846-ddba28dcf5a4
==== INBOUND NEIGHBORS ====
DC=ForestDnsZones,DC=example,DC=local
Default-First-Site-Name\ZENTYAL2 via RPC
DSA object GUID: 7692d6b0-2684-4f27-937a-08f52be0d4c8
Last attempt @ Thu Jun 13 12:13:47 2019 -04 failed, result 1326 (WERR_LOGON_FAILURE)
445 consecutive failure(s).
Last success @ Tue Jun 11 23:16:56 2019 -04
DC=ForestDnsZones,DC=example,DC=local
Default-First-Site-Name\ZENTYAL3 via RPC
DSA object GUID: 2cd36245-dcae-479d-b8d0-b7a8e19caad3
Last attempt @ Thu Jun 13 12:13:47 2019 -04 was successful
0 consecutive failure(s).
Last success @ Thu Jun 13 12:13:47 2019 -04
DC=DomainDnsZones,DC=example,DC=local
Default-First-Site-Name\ZENTYAL2 via RPC
DSA object GUID: 7692d6b0-2684-4f27-937a-08f52be0d4c8
Last attempt @ Thu Jun 13 12:16:19 2019 -04 failed, result 1326 (WERR_LOGON_FAILURE)
2305 consecutive failure(s).
Last success @ Tue Jun 11 23:16:56 2019 -04
DC=DomainDnsZones,DC=example,DC=local
Default-First-Site-Name\ZENTYAL3 via RPC
DSA object GUID: 2cd36245-dcae-479d-b8d0-b7a8e19caad3
Last attempt @ Thu Jun 13 12:13:47 2019 -04 was successful
0 consecutive failure(s).
Last success @ Thu Jun 13 12:13:47 2019 -04
DC=example,DC=local
Default-First-Site-Name\ZENTYAL2 via RPC
DSA object GUID: 7692d6b0-2684-4f27-937a-08f52be0d4c8
Last attempt @ Thu Jun 13 12:13:47 2019 -04 failed, result 1326 (WERR_LOGON_FAILURE)
929 consecutive failure(s).
Last success @ Tue Jun 11 23:16:59 2019 -04
DC=example,DC=local
Default-First-Site-Name\ZENTYAL3 via RPC
DSA object GUID: 2cd36245-dcae-479d-b8d0-b7a8e19caad3
Last attempt @ Thu Jun 13 12:13:49 2019 -04 was successful
0 consecutive failure(s).
Last success @ Thu Jun 13 12:13:49 2019 -04
CN=Schema,CN=Configuration,DC=example,DC=local
Default-First-Site-Name\ZENTYAL2 via RPC
DSA object GUID: 7692d6b0-2684-4f27-937a-08f52be0d4c8
Last attempt @ Thu Jun 13 12:13:50 2019 -04 failed, result 1326 (WERR_LOGON_FAILURE)
446 consecutive failure(s).
Last success @ Tue Jun 11 23:16:59 2019 -04
CN=Schema,CN=Configuration,DC=example,DC=local
Default-First-Site-Name\ZENTYAL3 via RPC
DSA object GUID: 2cd36245-dcae-479d-b8d0-b7a8e19caad3
Last attempt @ Thu Jun 13 12:13:50 2019 -04 was successful
0 consecutive failure(s).
Last success @ Thu Jun 13 12:13:50 2019 -04
CN=Configuration,DC=example,DC=local
Default-First-Site-Name\ZENTYAL2 via RPC
DSA object GUID: 7692d6b0-2684-4f27-937a-08f52be0d4c8
Last attempt @ Thu Jun 13 12:13:50 2019 -04 failed, result 1326 (WERR_LOGON_FAILURE)
447 consecutive failure(s).
Last success @ Tue Jun 11 23:16:59 2019 -04
CN=Configuration,DC=example,DC=local
Default-First-Site-Name\ZENTYAL3 via RPC
DSA object GUID: 2cd36245-dcae-479d-b8d0-b7a8e19caad3
Last attempt @ Thu Jun 13 12:13:50 2019 -04 was successful
0 consecutive failure(s).
Last success @ Thu Jun 13 12:13:50 2019 -04
==== OUTBOUND NEIGHBORS ====
DC=ForestDnsZones,DC=example,DC=local
Default-First-Site-Name\ZENTYAL2 via RPC
DSA object GUID: 7692d6b0-2684-4f27-937a-08f52be0d4c8
Last attempt @ Thu Jun 13 12:17:26 2019 -04 failed, result 1326 (WERR_LOGON_FAILURE)
14 consecutive failure(s).
Last success @ NTTIME(0)
DC=ForestDnsZones,DC=example,DC=local
Default-First-Site-Name\ZENTYAL3 via RPC
DSA object GUID: 2cd36245-dcae-479d-b8d0-b7a8e19caad3
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=DomainDnsZones,DC=example,DC=local
Default-First-Site-Name\ZENTYAL2 via RPC
DSA object GUID: 7692d6b0-2684-4f27-937a-08f52be0d4c8
Last attempt @ Thu Jun 13 12:17:26 2019 -04 failed, result 1326 (WERR_LOGON_FAILURE)
14 consecutive failure(s).
Last success @ NTTIME(0)
DC=DomainDnsZones,DC=example,DC=local
Default-First-Site-Name\ZENTYAL3 via RPC
DSA object GUID: 2cd36245-dcae-479d-b8d0-b7a8e19caad3
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=example,DC=local
Default-First-Site-Name\ZENTYAL2 via RPC
DSA object GUID: 7692d6b0-2684-4f27-937a-08f52be0d4c8
Last attempt @ Thu Jun 13 12:17:26 2019 -04 failed, result 1326 (WERR_LOGON_FAILURE)
13 consecutive failure(s).
Last success @ NTTIME(0)
DC=example,DC=local
Default-First-Site-Name\ZENTYAL3 via RPC
DSA object GUID: 2cd36245-dcae-479d-b8d0-b7a8e19caad3
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
CN=Schema,CN=Configuration,DC=example,DC=local
Default-First-Site-Name\ZENTYAL2 via RPC
DSA object GUID: 7692d6b0-2684-4f27-937a-08f52be0d4c8
Last attempt @ Thu Jun 13 12:17:27 2019 -04 failed, result 1326 (WERR_LOGON_FAILURE)
14 consecutive failure(s).
Last success @ NTTIME(0)
CN=Schema,CN=Configuration,DC=example,DC=local
Default-First-Site-Name\ZENTYAL3 via RPC
DSA object GUID: 2cd36245-dcae-479d-b8d0-b7a8e19caad3
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
CN=Configuration,DC=example,DC=local
Default-First-Site-Name\ZENTYAL2 via RPC
DSA object GUID: 7692d6b0-2684-4f27-937a-08f52be0d4c8
Last attempt @ Thu Jun 13 12:17:27 2019 -04 failed, result 1326 (WERR_LOGON_FAILURE)
14 consecutive failure(s).
Last success @ NTTIME(0)
CN=Configuration,DC=example,DC=local
Default-First-Site-Name\ZENTYAL3 via RPC
DSA object GUID: 2cd36245-dcae-479d-b8d0-b7a8e19caad3
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
==== KCC CONNECTION OBJECTS ====
Connection --
Connection name: 36a4786c-c9de-4fc1-b2b7-390c0d7f4dba
Enabled : TRUE
Server DNS name : zentyal2.example.local
Server DN name : CN=NTDS Settings,CN=ZENTYAL2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=local
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
Connection name: f74e48dd-ca6a-43a3-8c7e-ddba4203a12f
Enabled : TRUE
Server DNS name : zentyal3.example.local
Server DN name : CN=NTDS Settings,CN=ZENTYAL3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=local
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
-
If 2 (or more) domain controllers are not time synchronised, authentication will fail.
Check the configuration and time on all your domain controllers.
If the setup is correct and consistent, are your controllers physical or virtual machines?
I had a similar problem here - https://forum.zentyal.org/index.php/topic,32364.msg108925.html#msg108925