Unsolved
This post is more than 5 years old
25 Posts
0
3185
May 11th, 2010 05:00
LDAP, GSS-API error and clock skew message
Hi,
I do face a problem that seems to be very similiar to the one described here:
https://community.emc.com/thread/85589
But this thread didn't provide me so much help actually...
After each reboot of the datamover, I can see the following messages:
2010-05-11 10:45:37: LDAP: 3: LDAP authentication: GSS initate security context for target: ldap/pye603.mydomain.com@mydomain.com - principal: PYSE20$@MYDOMAIN.COM failed - GSS-API major error: Miscellaneous failure
2010-05-11 10:45:37: LDAP: 3: LDAP authentication: GSS initate security context for target: ldap/pye603.mydomain.com@mydomain.com - principal: PYSE20$@MYDOMAIN.COM failed - GSS-API minor error: Clock skew too great in KDC reply
2010-05-11 10:45:37: LDAP: 3: LdapClient::connect: error message: Sasl protocol violation, (error code 99)
2010-05-11 10:45:37: SMB: 4: Unable to connect to Active Directory server pye603.mydomain.com (10.82.209.187), port 389
The log is full of similiar messages. There are always 4 messages per active domain controller.
NTP is set on the datamover and working well. There is no time gap between the datamover and any domain controlleur server.
Should I bother about all this ?
Anyway to avoid it ?
My version is 5.6.47.11.
Thanks
Eric
gbarretoxx1
366 Posts
0
May 11th, 2010 11:00
Hi,
There might have some problem with the Kerberos information for the CIFS server computer account.
You can try to rejoin the CIFS server with resetserverpassword option. Please, refer to primus emc210491.
Gustavo Barreto.
SAMEERK1
296 Posts
0
May 25th, 2010 08:00
Hi,
These messges are from the control station, I think there is the time differrence between Control station and the domain Controller and there are domain mapped users for the celerra manager. you can try changing the time of the control station as same as the dc you have mapped.
let us know if this clearred the errors.
Sameer
whoreallycares
25 Posts
0
May 25th, 2010 09:00
I'll follow Gustavo's tips to try to address this problem.
No news yet to share unfortunately. I'm relying on some internal teams' support.
This block of error messages is repeated for all active DC.
It difficult to imagine one single DC to be time shifted. ALL of them ? No...
I don't think we do have a concern on the CS.
The date/time/timezone is ok on the CS.
Also, why would these messages be triggered when the datamover is reboot ?
Eric
nandas
4 Operator
•
1.5K Posts
1
May 25th, 2010 10:00
You are right - This may not be a time difference issue - there may be reason which can cause this. Is there any impact accessing the CIFS server and the shares? - I hope not at this moment.
Typically these messages reflects authentication or communication issues between CIFS server and Domain controllers.
Most of the times, resetting the computer account from the data mover end (not from AD side) helps to resolve this as Gustavo already suggested - using resetserverpasswd option with the server_cifs -Join command.
Please note that this command can be run Online which will not affect the users access to the CIFS server or share. The command will look like -
$ server_cifs server_x -Join compname= ,domain= ,admin= -option resetserverpasswd
You may also refer to the EMC primus emc95309 for more details.
Thanks,
Sandip
whoreallycares
25 Posts
0
May 27th, 2010 05:00
Hi,
I'm sorry. I think I've been fooled by a true clock skew problem because the max time gap imposed by the DC is really really short.
I could not imagine a 61sec gap would cause us so me many troubles.
Let's close this discussion.
I've opened another one, title is "datamover clock skew after reboot" to discuss the real root cause.
Eric