When trying
kinit I get
's Password:
kinit: krb5_get_init_creds: Clock skew too greatWhat to do?
Here is my timedatectl status
$ timedatectl status Local time: C 2018-03-01 14:28:48 EET Universal time: C 2018-03-01 12:28:48 UTC RTC time: S 2018-02-24 23:48:07 Time zone: Europe/Riga (EET, +0200) Network time on: yes
NTP synchronized: yes RTC in local TZ: no1 Answer
Best practice
Because Kerberos is very time sensitive you should configure your client machines to use one of your domain controllers as an NTP server. The DigitalOcean link further down recommends using ntp instead of systemd-timesyncd due to some optimized "smoothing" algorithms that prevent weird clock jumps that can break some applications "timestamp in the future, session aborted, etc".
If on a system with systemd and timedatectl
Run sudo gedit /etc/systemd/timesyncd.conf and uncomment NTP= and set your list of space separated servers to try, if you have laptops that may not be on VPN to access the domain controllers you should also set the FallbackNTP= to include something like pool.ntp.org or other public NTP servers.
Example /etc/systemd/timesyncd.conf
[Time]
NTP=domaincontroller.pithoslabs.com
FallbackNTP=ntp.ubuntu.com pool.ntp.orgThen sudo systemctl restart systemd-timesyncd to put the new changes into effect without rebooting.
If on a system without systemd
sudo apt install ntpdate
ntpdate domaincontroller.yourdomain.com
sudo gedit /etc/default/ntpdateYou will probably need to add a cron entry to run this daily for long running machines. You could also use ntp directly per this excellent DigitalOcean document,
If you also have ntp installed, ntpdate-debian (ntpdate package with some tweaks from the upstream for debian/ubuntu) can also use /etc/ntp.conf, see the /etc/default/ntpdate file's comments.
