[Samba] AD Integration drives me nuts

[Stan Hoeppner]

Mike put forth on 5/5/2010 1:38 PM:
> Hi
> 
> This has keeping me up for days now and I can't seem to find a solution
> in the various wikis, howtos and whatsoevers, so here's the plot:
> 
> I have a W2K3 R2 x64 Domaincontroller (VM on vSphere4) and a CentOS 5.4
> x64 fileserver (also a VM on vSphere4, same ESX-host), running Samba
> 3.0.33-3.15.el5_4.1 (rpm installation out of the box).

Make sure your system time is accurate on your VM guests.  Virtual machines
on VMWare ESX are notorious for not keeping time correctly, sometimes
drifting by hours in a single day.  Read, thoroughly, and implement the
recommendations in this guide:

http://www.vmware.com/pdf/vmware_timekeeping.pdf

Kerberos requires client and server clocks to be no more than 5 minutes
apart.  From:
http://web.mit.edu/Kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/Clock-Skew.html

"6.2 Clock Skew

In order to prevent intruders from resetting their system clocks in order to
continue to use expired tickets, Kerberos V5 is set up to reject ticket
requests from any host whose clock is not within the specified maximum clock
skew of the KDC (as specified in the kdc.conf file). Similarly, hosts are
configured to reject responses from any KDC whose clock is not within the
specified maximum clock skew of the host (as specified in the krb5.conf
file). The default value for maximum clock skew is 300 seconds, or five minutes.

MIT suggests that you add a line to client machines' /etc/rc files to
synchronize the machine's clock to your KDC at boot time. On UNIX hosts,
assuming you had a kdc called kerberos in your realm, this would be:

     gettime -s kerberos

If the host is not likely to be rebooted frequently, you may also want to
set up a cron job that adjusts the time on a regular basis."


Clock may not be the cause of your current problems, but over 80% of the
time it is the cause of kerberos problems with VMWare guests.

-- 
Stan