The Kerberos protocol relies heavily on timestamps. If the clock on the Debian workstation is out of sync with the primary domain controller, things will break. Windows Server 2003 by default broadcasts its time via the Network Time Protocol (NTP). To synchronize your clock with the primary domain controller, try the following:
sudo ntpdate pdc_ip_address[1]If you receive an "NTP socket in use" error, you need to stop the NTP daemon (sudo /etc/init.d/ntp-server stop) and try again. If ntpdate still fails, chances are that either the Windows Time Service is not running or one or more firewalls between the workstation and the domain controller are blocking port 123/UDP. Start the service and/or create exceptions for this port and try again.
When successful, ntpdate synchronizes your clock enough to start the NTP daemon, which handles all further synchronization. To point this daemon at the Windows domain controller, locate the first uncommented line in /etc/ntp.conf beginning with server and make the following change:
server pdc_ip_addressWith this setting in place, restart the NTP daemon:
sudo /etc/init.d/ntp-server startTo confirm that your workstation is contacting the primary domain controller for time updates, run ntpq -p. If everything is configured correctly, you should see your primary domain controller's IP address or DNS name in the list of time servers.
| [1] | The timezone on your Debian workstation must be correct for the synchronization to be effective. If ntpdate is successful, but the time seems ahead or behind, run tzconfig to select the appropriate timezone. |