OPERATIONAL DEFECT DATABASE
...
...
You are able to join the Virtual Center Server Appliance (VCSA) to a domain successfully. When using the vSphere Client connected to the vCenter Server the Domain: drop down only shows (server) when trying to a add user in the Select Users and Groups window. You cannot add domain users to manage the vCenter Server. The /var/log/messages log contains entries similar to: GSS-API error calling gss_init_sec_context: 851968 (Unspecified GSS failure. Minor code may provide more information)GSS-API error calling gss_init_sec_context: -1765328347 (Clock skew too great) When running a network trace on the VCSA command line when joining the VCSA to the domain, you see an error similar to:KRB Error: KRB5KRB_AP_ERR_SKEW
This issue occurs when the time skew between the Virtual Center Server Appliance(VCSA) and a related Domain Controller is greater than 5 minutes. This can be either: A Domain Controller in the domain that the VCSA is being joined to A Domain Controller in a trusted domain of the domain the VCSA is being joined to
To resolve this issue, identify the time skew between this Domain Controller and VCSA. To check and set the date on the VCSA: SSH to the VCSA with root credentials. Execute the command date and compare the time value to the Domain Controller. If the time needs to be changed to be in sync, execute this command: date -s "HH:MM:SS" ; date Verify the results with the Domain Controller current time. Attempt to re-add the users. It is possible that the Domain Controller may be part of a trusted domain and out of sync with its Primary Domain Controller (PDC). If this is the case, the Domain Controller time skew must be resolved.Note: This is something that should be resolved with Microsoft support. Once this is done you should be able to add domain users correctly without issues.To identify the time skew error: SSH to the VCSA with root credentials. Execute this command:tcpdump > /tmp/tcpdump.txt SCP the tcpdump.txt file to a local workstation and import into Wireshark for analysis. Alternatively, grep the tcpdump.txt file for the time skew error:example: grep -i KRB5KRB_AP_ERR_SKEW /tmp/tcpdump.txt For additional information, see Managing the Windows Time Service.
For translated versions of this article, see: • 日本語: vCenter Server Appliance のドメイン参加後にユーザパーミッションを追加しようとするとドメインが見えない (2030069)Virtual Center Server Appliance をドメインに追加した後、ユーザー権限を追加したときドメインを表示できないSetting the Time Zone in the vCenter Server ApplianceHow to install tcpdump package on vCenter Server Appliance
Click on a version to see all relevant bugs
VMware Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
