[Freeipa-users] Re: "Clock skew too great" when mounting NFS with krb

Wed, 06 Sep 2017 02:42:57 -0700 

Hmm...... 

Found the error..... It appear its the hardwaretime that's used for kerberos 
and as the hardware apparently is ~ 6 minutes off....... well.... 

----- On Sep 6, 2017, at 9:50 AM, Troels Hansen via FreeIPA-users 
<freeipa-users@lists.fedorahosted.org> wrote: 

> Hi

> We have set up IPA with AD trust on RHEL and this Works fine.

> Running IPA 4.5

> However, sometimes we are unable to mount home (with autofs).

> I have fount that the KDC claims "Clock skew too great" however, I cannot see
> any problems.

> kinit works fine and I have a kerberos TGT:

> klist
> Ticket cache: KEYRING:persistent:0:0
> Default principal: USER@REALM

> Valid starting Expires Service principal
> 09/06/2017 09:40:00 09/06/2017 19:40:00 krbtgt/REALM@REALM
> renew until 09/07/2017 09:39:54

> To test. Manually mounting fails:

> mount.nfs4 -v -s -o rw,nodev,nosuid,hard,sec=krb5p
> profil01.domain:/var/nfs/profil/user/mnt/
> mount.nfs4: timeout set for Wed Sep 6 09:42:29 2017
> mount.nfs4: trying text-based options
> 'hard,sec=krb5p,sloppy,addr=10.101.173.91,clientaddr=10.101.11.195'
> mount.nfs4: mount(2): Permission denied
> mount.nfs4: access denied by server while mounting
> profil01.domain:/var/nfs/profil/user

> krb5kdc.log in IPA shows:

> Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): TGS_REQ (6 etypes {18 17 16 
> 23
> 25 26}) 10.101.11.195: PROCESS_TGS: authtime 0, host/oas08d.domain@REALM for
> nfs/profil01.domain@REALM, Clock skew too great
> Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): closing down fd 11
> Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): TGS_REQ (4 etypes {18 17 16
> 23}) 10.101.11.195: PROCESS_TGS: authtime 0, host/oas08d.domain@REALM for
> nfs/profil01.domain@REALM, Clock skew too great
> Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): closing down fd 11

> However, the time between ipa, client and nfs server is within 1 second (and
> same timezone).

> I'm unsure on how to debug further as everything seems fine so any help would 
> be
> appreciated.

> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

-- 

Med venlig hilsen 

Troels Hansen 

Senior Linux Engineer 

Casalogic A/S 

T (+45) 70 20 10 63 

M (+45) 22 43 71 57 

Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og 
meget mere. 

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to