When system time is incorrect, users are unable to log in to fix it. [dwoodhou@i7 ~]$ sudo date -s 2015-01-1 Thu 1 Jan 00:00:00 GMT 2015 [dwoodhou@i7 ~]$ wbinfo -K dwoodhou Enter dwoodhou's password: plaintext kerberos password authentication for [dwoodhou] failed (requesting cctype: FILE) error code was NT_STATUS_LOGON_FAILURE (0xc000006d) error message was: Logon failure Could not authenticate user [dwoodhou] with Kerberos (ccache: FILE) It looks like winbind is recognising that the clock is wrong, and even attempting to cope with it. But ultimately failing to accept the Kerberos ticket that it successfully acquires: process_request: Handling async request 14184:PAM_AUTH [14184]: pam auth dwoodhou child daemon request 13 child_process_request: request fn PAM_AUTH [14152]: dual pam auth GER\dwoodhou winbindd_dual_pam_auth: domain: GER last was online winbindd_dual_pam_auth_kerberos is_myname("GER") returns 0 using ccache: FILE:/tmp/krb5cc_500 winbindd_raw_kerberos_login: uid is 500 kerberos_kinit_password: as dwoodhou@GER.CORP.INTEL.COM using [FILE:/tmp/krb5cc_500] as ccache and config [(null)] got TGT for dwoodhou@GER.CORP.INTEL.COM in FILE:/tmp/krb5cc_500 valid until: Tue, 01 Sep 2015 23:42:06 BST (1441147326) renewable till: Thu, 01 Oct 2015 13:42:06 BST (1443703326) ads_krb5_mk_req: Advancing clock by 21040851 seconds to cope with clock skew ads_cleanup_expired_creds: Ticket in ccache[FILE:/tmp/krb5cc_500] expiration Tue, 01 Sep 2015 23:42:06 BST ads_krb5_mk_req: Ticket (DWOODHOU-LINUX$@GER.CORP.INTEL.COM) in ccache (FILE:/tmp/krb5cc_500) is valid until: (Tue, 01 Sep 2015 23:42:06 BST - 1441147326) Got KRB5 session key of length 16 Starting GENSEC mechanism gse_krb5 name_to_fqdn: lookup for DWOODHOU-LINUX -> DWOODHOU-LINUX.ger.corp.intel.com. ../source3/librpc/crypto/gse_krb5.c:416: krb5_kt_start_seq_get failed (Permission denied) ../source3/librpc/crypto/gse_krb5.c:605: Warning! Unable to set mem keytab from system keytab! gss_accept_sec_context failed with [Unspecified GSS failure. Minor code may provide more information: Ticket not yet valid] gensec_update() failed: NT_STATUS_LOGON_FAILURE winbindd_dual_pam_auth_kerberos failed: NT_STATUS_LOGON_FAILURE Plain-text authentication for user GER\dwoodhou returned NT_STATUS_LOGON_FAILURE (PAM: 7) Finished processing child request 13 Writing 3496 bytes to parent wb_request_done[14184:PAM_AUTH]: NT_STATUS_LOGON_FAILURE
When the system clock is fast, gss_init_sec_context() fails differently, and without ads_krb5_mk_req() first noticing the clock skew: [12050]: pam auth dwoodhou child daemon request 13 child_process_request: request fn PAM_AUTH [12010]: dual pam auth GER\dwoodhou winbindd_dual_pam_auth: domain: GER last was online winbindd_dual_pam_auth_kerberos is_myname("GER") returns 0 using ccache: FILE:/tmp/krb5cc_500 winbindd_raw_kerberos_login: uid is 500 kerberos_kinit_password: as dwoodhou@GER.CORP.INTEL.COM using [FILE:/tmp/krb5cc_500] as ccache and config [(null)] got TGT for dwoodhou@GER.CORP.INTEL.COM in FILE:/tmp/krb5cc_500 valid until: Wed, 02 Sep 2015 21:56:27 BST (1441227387) renewable till: Fri, 02 Oct 2015 11:56:27 BST (1443783387) ads_cleanup_expired_creds: Ticket in ccache[FILE:/tmp/krb5cc_500] expiration Wed, 02 Sep 2015 21:56:27 BST ads_krb5_mk_req: Ticket (DWOODHOU-LINUX$@GER.CORP.INTEL.COM) in ccache (FILE:/tmp/krb5cc_500) is valid until: (Wed, 02 Sep 2015 21:56:27 BST - 1441227387) Got KRB5 session key of length 16 Starting GENSEC mechanism gse_krb5 name_to_fqdn: lookup for DWOODHOU-LINUX -> DWOODHOU-LINUX.ger.corp.intel.com. ../source3/librpc/crypto/gse_krb5.c:416: krb5_kt_start_seq_get failed (Permission denied) ../source3/librpc/crypto/gse_krb5.c:605: Warning! Unable to set mem keytab from system keytab! gss_accept_sec_context failed with [Unspecified GSS failure. Minor code may provide more information: Clock skew too great] gensec_update() failed: NT_STATUS_LOGON_FAILURE winbindd_dual_pam_auth_kerberos failed: NT_STATUS_LOGON_FAILURE Plain-text authentication for user GER\dwoodhou returned NT_STATUS_LOGON_FAILURE (PAM: 7) Finished processing child request 13 Writing 3496 bytes to parent wb_request_done[12050:PAM_AUTH]: NT_STATUS_LOGON_FAILURE
Perhaps a simple solution here is just to do the equivalent of spawning 'net time set -S $DOMAIN', if gss_accept_sec_context() results in KRB5KRB_AP_ERR_SKEW or KRB5KRB_AP_ERR_TKT_NYV. And then try again. You could make that optional, if you really must.