Active Directory configuration hangs with a timeout error "Timeout when doing GSSAPI bind. LDAP Connection can't be established"
Article ID: 317822
Updated On:
Products
VMware
Issue/Introduction
Symptoms:
When configuring Active Directory connection in Skyline UI, the request hangs for 90 seconds (1 minute and 30 seconds), failing with the error message: "Connection to the AD server failed. Either AD credentials are wrong or there is a connectivity issue with the AD server. Underlying error: Timeout when doing GSSAPI bind. LDAP Connection can't be established." . The Skyline Virtual Appliance (VA) is able to ping the AD server, and to authenticate to it using Linux OS tools, such as kinit, ldapsearch.
When configuring Active Directory connection in Skyline UI, the request hangs for 90 seconds (1 minute and 30 seconds), failing with the error message: "Connection to the AD server failed. Either AD credentials are wrong or there is a connectivity issue with the AD server. Underlying error: Timeout when doing GSSAPI bind. LDAP Connection can't be established." . The Skyline Virtual Appliance (VA) is able to ping the AD server, and to authenticate to it using Linux OS tools, such as kinit, ldapsearch.
Cause
During the bind operation, Skyline Collector sends large datagram packets using UDP, which is the first protocol to use when authenticating with Kerberos. If the packet size reaches a certain size (i.e. larger than the network MTU), the packet is dropped by the network layer, or the AD server fails to process it. Because no response is received, the Collector re-sends the packet up to a maximum of 3 times, blocking for 30 seconds for each request, before a timeout occurs, for a total of 90 seconds of blocked wait on response. This timeout results in the client (Skyline Collector) not attempting to re-try using TCP, instead failing with a network error.
Resolution
A code-change will force the Skyline Collector to prefer TCP instead of UDP when performing the bind operation, to make use of the TCP internal fragmentation and assembly operations. The change will not be provided in Skyline 2.8.0.0, because further investigation is required to identify the best implementation strategy for this change.
Workaround:
To force the Kerberos client to always prefer TCP instead of UDP, customers can perform the following configuration change in Skyline Collector VA (logged in via Console/SSH):
udp_preference_limit=1
Restart the collector via systemctl and observe successful AD configuration.
Workaround:
To force the Kerberos client to always prefer TCP instead of UDP, customers can perform the following configuration change in Skyline Collector VA (logged in via Console/SSH):
- Create and edit the file /etc/krb5.conf
- Insert the following configuration:
udp_preference_limit=1
- Save the file, exit and set the access flags of the newly created file, to allow the Skyline Collector processes to read the file contents:
Restart the collector via systemctl and observe successful AD configuration.
Feedback
Yes
No
Powered by
