Failing to authorize AD users with error "incorrect password or invalid membership" due to a system clock offset.

Solution Verified - Updated -

Issue

  • AD users are unable to log in to the system, and the following error messages appear in /var/log/secure.
sshd[10077]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_LOGON_FAILURE, Error message was: The attempted logon is invalid. This is either due to a bad username or authentication information.
sshd[10077]: pam_winbind(sshd:auth): user 'ad_user' denied access (incorrect password or invalid membership)
  • Increase debug level then "krb5_kt_start_seq_get failed (Permission Denied)" is found in /var/log/samba/log.wb-DOMAIN.
../../source3/librpc/crypto/gse_krb5.c:417(fill_mem_keytab_from_system_keytab)
  ../../source3/librpc/crypto/gse_krb5.c:417: krb5_kt_start_seq_get failed (Permission Denied)
../../source3/librpc/crypto/gse_krb5.c:577(gse_krb5_get_server_keytab)
  ../../source3/librpc/crypto/gse_krb5.c:577: Warning! Unable to set mem keytab from system keytab!

Environment

  • Red Hat Enterprise Linux 7
    • winbind

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content