After joining the Virtual Center Server Appliance to a domain you cannot see domain when adding user permissions
Article ID: 307148
Updated On:
Products
VMware vCenter Server
Issue/Introduction
Symptoms:
- You are able to join the Virtual Center Server Appliance (VCSA) to a domain successfully.
- When using the vSphere Client connected to the vCenter Server the Domain: drop down only shows (server) when trying to a add user in the Select Users and Groups window.
- You cannot add domain users to manage the vCenter Server.
- The /var/log/messages log contains entries similar to:
GSS-API error calling gss_init_sec_context: 851968 (Unspecified GSS failure. Minor code may provide more information)
GSS-API error calling gss_init_sec_context: -1765328347 (Clock skew too great)
- When running a network trace on the VCSA command line when joining the VCSA to the domain, you see an error similar to:
KRB Error: KRB5KRB_AP_ERR_SKEW
Environment
VMware vCenter Server Appliance 5.0.x
Cause
This issue occurs when the time skew between the Virtual Center Server Appliance(VCSA) and a related Domain Controller is greater than 5 minutes. This can be either:
- A Domain Controller in the domain that the VCSA is being joined to
- A Domain Controller in a trusted domain of the domain the VCSA is being joined to
Resolution
To resolve this issue, identify the time skew between this Domain Controller and VCSA.
To check and set the date on the VCSA:
- SSH to the VCSA with root credentials.
- Execute the command date and compare the time value to the Domain Controller.
- If the time needs to be changed to be in sync, execute this command:
date -s "HH:MM:SS" ; date
- Verify the results with the Domain Controller current time.
- Attempt to re-add the users.
It is possible that the Domain Controller may be part of a trusted domain and out of sync with its Primary Domain Controller (PDC). If this is the case, the Domain Controller time skew must be resolved.
Note: This is something that should be resolved with Microsoft support. Once this is done you should be able to add domain users correctly without issues.
To identify the time skew error:
Note: This is something that should be resolved with Microsoft support. Once this is done you should be able to add domain users correctly without issues.
To identify the time skew error:
- SSH to the VCSA with root credentials.
- Execute this command:
tcpdump > /tmp/tcpdump.txt
- SCP the tcpdump.txt file to a local workstation and import into Wireshark for analysis.
- Alternatively, grep the tcpdump.txt file for the time skew error:
example: grep -i KRB5KRB_AP_ERR_SKEW /tmp/tcpdump.txt
For additional information, see Managing the Windows Time Service.
Additional Information
For translated versions of this article, see:
Virtual Center Server Appliance をドメインに追加した後、ユーザー権限を追加したときドメインを表示できないSetting the Time Zone in the vCenter Server Appliance
How to install tcpdump package on vCenter Server Appliance
Feedback
Yes
No
Powered by
