samba-users May 2010 archive
Main Archive Page > Month Archives  > samba-users archives
samba-users: Re: [Samba] AD Integration drives me nuts

Re: [Samba] AD Integration drives me nuts

From: Mike <samba_at_nospam>
Date: Wed May 05 2010 - 21:20:41 GMT
To: samba@lists.samba.org

Hi Stan

Knew that... I have all of them pulling the same ntp source. Clock skew
is > 3 secs! :)

Thanks for your effort, but Dale already solved my problem.

-- Rgds Mike On Wed, 2010-05-05 at 16:11 -0500, Stan Hoeppner wrote: > Mike put forth on 5/5/2010 1:38 PM: > > Hi > > > > This has keeping me up for days now and I can't seem to find a solution > > in the various wikis, howtos and whatsoevers, so here's the plot: > > > > I have a W2K3 R2 x64 Domaincontroller (VM on vSphere4) and a CentOS 5.4 > > x64 fileserver (also a VM on vSphere4, same ESX-host), running Samba > > 3.0.33-3.15.el5_4.1 (rpm installation out of the box). > > Make sure your system time is accurate on your VM guests. Virtual machines > on VMWare ESX are notorious for not keeping time correctly, sometimes > drifting by hours in a single day. Read, thoroughly, and implement the > recommendations in this guide: > > http://www.vmware.com/pdf/vmware_timekeeping.pdf > > Kerberos requires client and server clocks to be no more than 5 minutes > apart. From: > http://web.mit.edu/Kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/Clock-Skew.html > > "6.2 Clock Skew > > In order to prevent intruders from resetting their system clocks in order to > continue to use expired tickets, Kerberos V5 is set up to reject ticket > requests from any host whose clock is not within the specified maximum clock > skew of the KDC (as specified in the kdc.conf file). Similarly, hosts are > configured to reject responses from any KDC whose clock is not within the > specified maximum clock skew of the host (as specified in the krb5.conf > file). The default value for maximum clock skew is 300 seconds, or five minutes. > > MIT suggests that you add a line to client machines' /etc/rc files to > synchronize the machine's clock to your KDC at boot time. On UNIX hosts, > assuming you had a kdc called kerberos in your realm, this would be: > > gettime -s kerberos > > If the host is not likely to be rebooted frequently, you may also want to > set up a cron job that adjusts the time on a regular basis." > > > Clock may not be the cause of your current problems, but over 80% of the > time it is the cause of kerberos problems with VMWare guests. > > -- > Stan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba