Header Only - DO NOT REMOVE - Extreme Networks
Question

Cannot authenticate NAC via Active Directory


2017-02-11 14:16:04,522 ERROR [SambaInstallationManager] Failed to join domain: "ERUTIP.LOCAL" for user: "administrator" with error code: 1 kinit succeeded but ads_sasl_spnego_krb5_bind failed: Unspecified GSS failure. Minor code may provide more information : Clock skew too great
ADS join did not work, falling back to RPC...
Unable to find a suitable server for domain ERUTIP
Unable to find a suitable server for domain ERUTIP
Failed to join domain: failed to connect to AD: Unspecified GSS failure. Minor code may provide more information : Clock skew too great

2017-02-11 14:16:04,523 ERROR [SambaInstallationManager] Looked up IP "ERUTIP.LOCAL" => ERUTIP.LOCAL/10.120.120.121 and was able to ping it.
2017-02-11 14:16:04,527 ERROR [SambaInstallationManager] The user: "erutip\administrator" and password were verified via LDAP and we verified the user is a domain admin.

3 replies

Userlevel 5
Hello hbudus,

The devil is in the details! Here is what is wrong, "Clock skew too great". The time and date needs to match what is on your AD controllers. It is probably an incorrect time zone somewhere.

Are you using NTP to keep your clocks in sync? Ideally you want everything on your network using the same time source.
Hi Steve,

I checked it. NAC, Purview, Netsight, Wireless Controller and Microsoft Active Directory has same time and timezone.
Userlevel 5
Oh boy. I have also had this problem in the past. You are not getting the full story in these error messages. The "time error" is probably a red-herring [insert punchline].

I'll bet that there are better clues in the Windows Event Logs of your AD servers. How many AD servers do you have? If it's only a couple, I would check the Security Event logs on all of your controllers and see what they are reporting from the Windows side of things.

Reply