Hmm...... Found the error..... It appear its the hardwaretime that's used for kerberos and as the hardware apparently is ~ 6 minutes off....... well....
----- On Sep 6, 2017, at 9:50 AM, Troels Hansen via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: > Hi > We have set up IPA with AD trust on RHEL and this Works fine. > Running IPA 4.5 > However, sometimes we are unable to mount home (with autofs). > I have fount that the KDC claims "Clock skew too great" however, I cannot see > any problems. > kinit works fine and I have a kerberos TGT: > klist > Ticket cache: KEYRING:persistent:0:0 > Default principal: USER@REALM > Valid starting Expires Service principal > 09/06/2017 09:40:00 09/06/2017 19:40:00 krbtgt/REALM@REALM > renew until 09/07/2017 09:39:54 > To test. Manually mounting fails: > mount.nfs4 -v -s -o rw,nodev,nosuid,hard,sec=krb5p > profil01.domain:/var/nfs/profil/user/mnt/ > mount.nfs4: timeout set for Wed Sep 6 09:42:29 2017 > mount.nfs4: trying text-based options > 'hard,sec=krb5p,sloppy,addr=10.101.173.91,clientaddr=10.101.11.195' > mount.nfs4: mount(2): Permission denied > mount.nfs4: access denied by server while mounting > profil01.domain:/var/nfs/profil/user > krb5kdc.log in IPA shows: > Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): TGS_REQ (6 etypes {18 17 16 > 23 > 25 26}) 10.101.11.195: PROCESS_TGS: authtime 0, host/oas08d.domain@REALM for > nfs/profil01.domain@REALM, Clock skew too great > Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): closing down fd 11 > Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): TGS_REQ (4 etypes {18 17 16 > 23}) 10.101.11.195: PROCESS_TGS: authtime 0, host/oas08d.domain@REALM for > nfs/profil01.domain@REALM, Clock skew too great > Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): closing down fd 11 > However, the time between ipa, client and nfs server is within 1 second (and > same timezone). > I'm unsure on how to debug further as everything seems fine so any help would > be > appreciated. > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org -- Med venlig hilsen Troels Hansen Senior Linux Engineer Casalogic A/S T (+45) 70 20 10 63 M (+45) 22 43 71 57 Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere.
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org