LDAP, GSS-API error and clock skew message

Question

Hi, I do face a problem that seems to be very similiar to the one described here: https://community.emc.com/thread/85589 But this thread didn't provide me so much help actually... After each reboot of the datamover, I can see the following messages: 2010-05-11 10:45:37: LDAP: 3: LDAP authentication: GSS initate security context for target: ldap/pye603.mydomain.com@mydomain.com - principal: PYSE20$@MYDOMAIN.COM failed - GSS-API major error: Miscellaneous failure2010-05-11 10:45:37: LDAP: 3: LDAP authentication: GSS initate security context for target: ldap/pye603.mydomain.com@mydomain.com - principal: PYSE20$@MYDOMAIN.COM failed - GSS-API minor error: Clock skew too great in KDC reply2010-05-11 10:45:37: LDAP: 3: LdapClient::connect: error message: Sasl protocol violation, (error code 99)2010-05-11 10:45:37: SMB: 4: Unable to connect to Active Directory server pye603.mydomain.com (10.82.209.187), port 389 The log is full of similiar messages. There are always 4 messages per active domain controller. NTP is set on the datamover and working well. There is no time gap between the datamover and any domain controlleur server. Should I bother about all this ? Anyway to avoid it ? My version is 5.6.47.11. Thanks Eric

gbarretoxx1 · Answer

Hi,

There might have some problem with the Kerberos information for the CIFS server computer account.

You can try to rejoin the CIFS server with resetserverpassword option. Please, refer to primus emc210491.

Gustavo Barreto.

SAMEERK1 · Answer

Hi,

These messges are from the control station, I think there is the time differrence between Control station and the domain Controller and there are domain mapped users for the celerra manager. you can try changing the time of the control station as same as the dc you have mapped.

let us know if this clearred the errors.

Sameer

whoreallycares · Answer

I'll follow Gustavo's tips to try to address this problem.

No news yet to share unfortunately. I'm relying on some internal teams' support.

This block of error messages is repeated for all active DC.

It difficult to imagine one single DC to be time shifted. ALL of them ? No...

I don't think we do have a concern on the CS.

The date/time/timezone is ok on the CS.

Also, why would these messages be triggered when the datamover is reboot ?

Eric

nandas · Answer

You are right - This may not be a time difference issue - there may be reason which can cause this. Is there any impact accessing the CIFS server and the shares? - I hope not at this moment.

Typically these messages reflects authentication or communication issues between CIFS server and Domain controllers.

Most of the times, resetting the computer account from the data mover end (not from AD side) helps to resolve this as Gustavo already suggested - using resetserverpasswd option with the server_cifs -Join command.

Please note that this command can be run Online which will not affect the users access to the CIFS server or share. The command will look like -

$ server_cifs server_x -Join compname= ,domain= ,admin= -option resetserverpasswd

You may also refer to the EMC primus emc95309 for more details.

Thanks,
Sandip

whoreallycares · Answer

Hi,

I'm sorry. I think I've been fooled by a true clock skew problem because the max time gap imposed by the DC is really really short.

I could not imagine a 61sec gap would cause us so me many troubles.

Let's close this discussion.

I've opened another one, title is "datamover clock skew after reboot" to discuss the real root cause.

Eric

Celerra

Was this post helpful?