2

S.O. Ubuntu 18.04.4, Samba version 4.7.6-Ubuntu

I have this problem with this machine. Whenever the system restarts, winbind.service fail to start properly, and error "clock skew too great" is recorded in logs.

winbind log:

[2020/02/17 17:25:12.840317,  0] ../source3/winbindd/winbindd_cache.c:3170(initialize_winbindd_cache)
  initialize_winbindd_cache: clearing cache and re-creating with version number 2
[2020/02/17 17:25:12.879543,  0] ../lib/util/become_daemon.c:124(daemon_ready)
  STATUS=daemon 'winbindd' finished starting up and ready to serve connections
[2020/02/17 17:25:18.175567,  0] ../source3/librpc/crypto/gse.c:532(gse_get_client_auth_token)
  gse_get_client_auth_token: gss_init_sec_context failed with [ Miscellaneous failure (see text): Clock skew too great](2529638949)
[2020/02/17 17:25:18.397020,  0] ../source3/librpc/crypto/gse.c:532(gse_get_client_auth_token)
  gse_get_client_auth_token: gss_init_sec_context failed with [ Miscellaneous failure (see text): Clock skew too great](2529638949)
[2020/02/17 17:25:18.909264,  0] ../source3/librpc/crypto/gse.c:532(gse_get_client_auth_token)
  gse_get_client_auth_token: gss_init_sec_context failed with [ Miscellaneous failure (see text): Clock skew too great](2529638949)

Once the machine is started, I can manually systemctl restart winbind and it starts with no problem at all.

I have checked every possible configuration and all seems to be in order. Also I have recreated the machine from scratch.

I have configured chrony the time synchronization client, and also tried with systemd-timesync. The machine in fact is synchronized when I check it.

I have also tried to edit /lib/systemd/system/winbind.service by adding After=chrony.service but that makes no difference.

In the DC, chrony shows that clients are connected:

Hostname                      NTP   Drop Int IntL Last     Cmd   Drop Int  Last
===============================================================================
smb1.domain.club               181      0   6   -    36       0      0   -     -
giorgilaptop.domain.club         3      0  12   -   40m       0      0   -     -
plex.domain.club               110      0   6   -     0       0      0   -     -

In the machine that fails, also the right source is shown

localuser@smb1:~$ sudo chronyc sources
210 Number of sources = 1
MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
^* dc1.domain.club                2   6   377    47    -12us[  -17us] +/-   20ms

The machine was created following these steps:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

https://wiki.samba.org/index.php/Time_Synchronisation#Configuring_Time_Synchronisation_on_a_Unix_Domain_Member

EDIT: Apparently this happens when the vms run in ESXI 6.7 in my server. I have downloaded the vm to wmware workstation and winbind start without any problem. This would have to be related in some way with esxi and time synchronization.

giorgiline
  • 121
  • 1
  • 6
  • do you need winbind or could you use realmd to join an AD/samba4 domain? If you do not need winbind, realmd is probably a better supported tool (see https://www.redhat.com/en/blog/sssd-vs-winbind - realmd uses sssd under the hood). Also, as a workaround you could restart winbind in a cronjob after rebooting. – natxo asenjo Feb 17 '20 at 16:59
  • Actually, I don't have a clue if I need it or not. I know little on how this work, I'm just trying to experiment with it. – giorgiline Feb 17 '20 at 17:32
  • if you don't know, then you probably don't need it ;-). You could try using the instructions here: https://www.server-world.info/en/note?os=Ubuntu_18.04&p=realmd in a vm, for instance – natxo asenjo Feb 17 '20 at 17:45
  • I think I would go with a cronjob on reboot in the meantime – giorgiline Feb 17 '20 at 19:55
  • What I don't understand is how can other machine with the exact same configuration work, and not this one. – giorgiline Feb 17 '20 at 20:04

2 Answers2

0

Problem solved.

If you are using Vmware ESXi as I do, you have to enable the ntp synchronization in the ESXi settings so it starts with the host, and add the same pools as your domain controller has configured in the ntp server.

ESXi time & date settings

Then, for every virtual machine that is a domain member you have to enable under vmware tools options the time synchronyzation between the guest machine and the host.

enter image description here

giorgiline
  • 121
  • 1
  • 6
0

you have dealt with the problem in short term but the major problem still resides as you didn't address the real issue and caused a infrawide security issue

The issue

Your linux clients are not able to connect to AD after reboot

Reason

When winbind is used the client trying to connect to AD should be in sync with AD's time differing not more than 5 minutes.

Your Solution doesn't fully work beacause

The solution that you have provided only works when vmtools are installed or else this issue reoccurs as the VM cannot fetch time from its host.

Security problem caused

pointing AD and ESXi host directly pointing them to public NTP's you will having security issue which is not recommended by the microsoft or VMware.

I would suggest establish a NTP server and point all the AD's and ESX hosts to internal NTP server and if any clients are not having vmtools you can map them to internal NTP.

Sampath Madala
  • 11
  • 2
  • So, for that to be properly set up, I would need another machine out of this server to act as a NTP server, don't I? So there is no right way of doing it with only one server. – giorgiline Feb 18 '20 at 16:36
  • Nope. You could easily setup linux VM if it is small environment or 4 node NTP cluster if it is a Enterprise level environment which gives more flexibility where NTP nodes gets synced with External pools and whole NTP communication will restricted with the environment not exposing to internet. – Sampath Madala Feb 19 '20 at 02:39
  • So then it wouldn't it be better to set up the NTP server in the AD, and point the esxi NTP client to the AD? – giorgiline Feb 19 '20 at 16:17
  • Then you will be exposing ad to the internet – Sampath Madala Feb 20 '20 at 17:10
  • When you're working on Servers you have to ask one question all the time can I avoid exposing this public which would put me in insecure environment. . – Sampath Madala Feb 20 '20 at 17:14