[Samba] AD Integration drives me nuts

Mike samba at protec-enterprises.com
Wed May 5 15:20:41 MDT 2010

Hi Stan

Knew that... I have all of them pulling the same ntp source. Clock skew
is > 3 secs! :)

Thanks for your effort, but Dale already solved my problem.


On Wed, 2010-05-05 at 16:11 -0500, Stan Hoeppner wrote:
> Mike put forth on 5/5/2010 1:38 PM:
> > Hi
> > 
> > This has keeping me up for days now and I can't seem to find a solution
> > in the various wikis, howtos and whatsoevers, so here's the plot:
> > 
> > I have a W2K3 R2 x64 Domaincontroller (VM on vSphere4) and a CentOS 5.4
> > x64 fileserver (also a VM on vSphere4, same ESX-host), running Samba
> > 3.0.33-3.15.el5_4.1 (rpm installation out of the box).
> Make sure your system time is accurate on your VM guests.  Virtual machines
> on VMWare ESX are notorious for not keeping time correctly, sometimes
> drifting by hours in a single day.  Read, thoroughly, and implement the
> recommendations in this guide:
> http://www.vmware.com/pdf/vmware_timekeeping.pdf
> Kerberos requires client and server clocks to be no more than 5 minutes
> apart.  From:
> http://web.mit.edu/Kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/Clock-Skew.html
> "6.2 Clock Skew
> In order to prevent intruders from resetting their system clocks in order to
> continue to use expired tickets, Kerberos V5 is set up to reject ticket
> requests from any host whose clock is not within the specified maximum clock
> skew of the KDC (as specified in the kdc.conf file). Similarly, hosts are
> configured to reject responses from any KDC whose clock is not within the
> specified maximum clock skew of the host (as specified in the krb5.conf
> file). The default value for maximum clock skew is 300 seconds, or five minutes.
> MIT suggests that you add a line to client machines' /etc/rc files to
> synchronize the machine's clock to your KDC at boot time. On UNIX hosts,
> assuming you had a kdc called kerberos in your realm, this would be:
>      gettime -s kerberos
> If the host is not likely to be rebooted frequently, you may also want to
> set up a cron job that adjusts the time on a regular basis."
> Clock may not be the cause of your current problems, but over 80% of the
> time it is the cause of kerberos problems with VMWare guests.
> -- 
> Stan

More information about the samba mailing list