12:09 a.m.
This was working fine, now I get the error below in engine.log when I try
to log in. The clock times are the same. I even changed the time service on
the domain controller to use the same NTP source as the engine server. I
have rebooted the domain controller to make sure that all settings were
applied, but I still get this error. I can log into our other AD domain
without issue, the problem is just with this particular domain.
2014-04-07 16:05:07,453 ERROR
[org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy]
(ajp--127.0.0.1-8702-7) Kerberos error: Clock skew too great (37)
2014-04-07 16:05:07,454 ERROR
[org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy]
(ajp--127.0.0.1-8702-7) Authentication Failed. The Engine clock is not
synchronized with directory services (must be within 5 minutes difference).
Please verify the clocks are synchronized
2014-04-07 16:05:07,456 ERROR
[org.ovirt.engine.core.bll.adbroker.DirectorySearcher]
(ajp--127.0.0.1-8702-7) Failed ldap search server ldap://par-dc1:389 using
user jclay(a)CORPORATE.WELLSCO.NET due to Authentication Failed. The Engine
clock is not synchronized with directory services (must be within 5 minutes
difference). Please verify the clocks are synchronized. We should try the
next server
1:19 a.m.
Hi,
Seems you still have some issue in your environment if this error is reported, you can try
to kinit yourself and check.
For that you will need an appropriate krb5.conf file to be placed at
/etc/krb5.conf - and to perform
kinit user@REALM
the content of the krb5.conf file can be:
[libdefaults]
default_realm = <YOUR_REALM>
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = no
no-addresses = false
default_tkt_enctypes = arcfour-hmac-md5
udp_preference_limit = 1
----- Original Message -----
From: "Jeff Clay" <jeffclay(a)gmail.com>
To: users(a)ovirt.org
Sent: Tuesday, April 8, 2014 12:09:23 AM
Subject: [Users] Login Error using AD domain
This was working fine, now I get the error below in engine.log when I try
to log in. The clock times are the same. I even changed the time service on
the domain controller to use the same NTP source as the engine server. I
have rebooted the domain controller to make sure that all settings were
applied, but I still get this error. I can log into our other AD domain
without issue, the problem is just with this particular domain.
2014-04-07 16:05:07,453 ERROR
[org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy]
(ajp--127.0.0.1-8702-7) Kerberos error: Clock skew too great (37)
2014-04-07 16:05:07,454 ERROR
[org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy]
(ajp--127.0.0.1-8702-7) Authentication Failed. The Engine clock is not
synchronized with directory services (must be within 5 minutes difference).
Please verify the clocks are synchronized
2014-04-07 16:05:07,456 ERROR
[org.ovirt.engine.core.bll.adbroker.DirectorySearcher]
(ajp--127.0.0.1-8702-7) Failed ldap search server ldap://par-dc1:389 using
user jclay(a)CORPORATE.WELLSCO.NET due to Authentication Failed. The Engine
clock is not synchronized with directory services (must be within 5 minutes
difference). Please verify the clocks are synchronized. We should try the
next server
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
3882
days inactive
3882
days old
1 comments
2 participants
participants (2)
-
Jeff Clay -
Yair Zaslavsky