A Red Hat Enterprise Linux 9 file server that is joined to an Active Directory domain suddenly stops letting domain users mount its SMB share. The system journal records:
gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information, Clock skew too great
Running timedatectl status shows:
Local time: Tue 2025-08-26 14:22:40 EDT
System clock synchronized: no
NTP service: inactive
ntpq -p reports the server at stratum 16 (UNSYNC). No hardware faults or network outages are present.
Which action is the BEST first step to restore domain authentication and keep the problem from occurring again?
Use the date command to set the server's clock manually and disable all time-sync daemons so the time cannot change unexpectedly.
Start and enable the system's NTP client (chronyd or systemd-timesyncd) and configure it to sync with the domain controller's time source.
Change the server's time zone to UTC so its displayed time matches the domain controllers.
Increase the "Maximum tolerance for computer clock synchronization" Kerberos policy on the domain from 5 minutes to 60 minutes.
Kerberos refuses tickets when a client's clock differs from the domain controller by more than the default five-minute window. The log entry and the unsynchronized NTP status confirm that the server's clock is outside that tolerance. Starting an NTP client (chronyd or systemd-timesyncd) and pointing it at the domain's authoritative time source automatically corrects the offset and continues to discipline the clock, eliminating the authentication failures. Manually setting the clock or widening the Kerberos skew window may provide a temporary workaround, but they do not prevent the time from drifting again. Changing the time zone does not affect the underlying UTC clock that Kerberos compares, so it will not solve the issue.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Kerberos and why does clock skew impact it?
Open an interactive chat with Bash
What is the role of NTP in system time synchronization?
Open an interactive chat with Bash
What is the difference between chronyd and systemd-timesyncd?