Kerberos Ticket on Unix/Linux “Clock Skew too great”

Have been trying for 24hrs now to configure Desktop SSO for WebSEAL (TAMeb).

After having no issues on my VM, doing it in the customers environment proved strangely difficult.

After trying to run: /usr/krb5/bin/kinit user@DOMAIN.COM

Even after fixing the time servers, I continued to get the message:

Unable to obtain initial credentials.
        Status 0x96c73a25 - Clock skew too great.

After checking, rechecking and double checking the clocks, (not to mention numerous restarts) I found the solution.

Just run the command:

[root@ibmtivoli ~]# /usr/krb5/bin/kdestroy -q

The Qshell command kdestroy destroys a Kerberos credentials cache.

This command deletes any existing ticket cache. I suspect that given we copied and configured the cache when the clocks were out of wack, there was a timestamp somewhere that was preventing us from progressing.

After progressing a little further, I started getting this error:

[root@ibmtivoli ~]#  /usr/krb5/bin/kinit -k -t  
Unable to obtain initial credentials.
        Status 0x96c73a06 - Client not found in Network 
        Authentication Service database or client locked out.

So, there were two main differences in the customers environment to my Control VM Images.

  1. It was only a single level domain, “DEMO.COM”
  2. It was running with SP2, and all the latest updates, the customers server was Win2008 GA.

After downloading SP2, and reconfiguring the domain to a single level domain.

Suddenly, it all just worked… Hooray!

I suspect that the main reason was the Service Pack 2 for Windows Server 2008, however given we had 1 hour to download the install, we figured we’d do it both at once, leaving the ultimate cause, a case for another time.

Comments are closed.

Website Built with

Up ↑

%d bloggers like this: