If you have VM's in the mix, and use ntp,  use    tinker panic 0  in 
their ntp.conf files.

/tony

On 09/06/2017 11:41 AM, Troels Hansen via FreeIPA-users wrote:
> Hmm......
> 
> Found the error.....   It appear its the hardwaretime that's used for 
> kerberos and as the hardware apparently is ~ 6 minutes off....... well....
> 
> 
> ----- On Sep 6, 2017, at 9:50 AM, Troels Hansen via FreeIPA-users 
> <freeipa-users@lists.fedorahosted.org> wrote:
> 
>     Hi
> 
>     We have set up IPA with AD trust on RHEL and this Works fine.
> 
>     Running IPA 4.5
> 
>     However, sometimes we are unable to mount home (with autofs).
> 
>     I have fount that the KDC claims "Clock skew too great" however, I
>     cannot see any problems.
> 
>     kinit works fine and I have a kerberos TGT:
> 
>       klist
>     Ticket cache: KEYRING:persistent:0:0
>     Default principal: USER@REALM
> 
>     Valid starting       Expires              Service principal
>     09/06/2017 09:40:00  09/06/2017 19:40:00  krbtgt/REALM@REALM
>              renew until 09/07/2017 09:39:54
> 
> 
> 
>     To test. Manually mounting fails:
> 
>     mount.nfs4 -v -s -o rw,nodev,nosuid,hard,sec=krb5p
>     profil01.domain:/var/nfs/profil/user/mnt/
>     mount.nfs4: timeout set for Wed Sep  6 09:42:29 2017
>     mount.nfs4: trying text-based options
>     'hard,sec=krb5p,sloppy,addr=10.101.173.91,clientaddr=10.101.11.195'
>     mount.nfs4: mount(2): Permission denied
>     mount.nfs4: access denied by server while mounting
>     profil01.domain:/var/nfs/profil/user
> 
> 
>     krb5kdc.log in IPA shows:
> 
>     Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): TGS_REQ (6 etypes
>     {18 17 16 23 25 26}) 10.101.11.195: PROCESS_TGS: authtime 0, 
>     host/oas08d.domain@REALM for nfs/profil01.domain@REALM, Clock skew
>     too great
>     Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): closing down fd 11
>     Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): TGS_REQ (4 etypes
>     {18 17 16 23}) 10.101.11.195: PROCESS_TGS: authtime 0, 
>     host/oas08d.domain@REALM for nfs/profil01.domain@REALM, Clock skew
>     too great
>     Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): closing down fd 11
> 
> 
>     However, the time between ipa, client and nfs server is within 1
>     second (and same timezone).
> 
> 
>     I'm unsure on how to debug further as everything seems fine so any
>     help would be appreciated.
> 
> 
>     _______________________________________________
>     FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>     To unsubscribe send an email to
>     freeipa-users-le...@lists.fedorahosted.org
> 
> 
> -- 
> 
> Med venlig hilsen
> 
> *Troels Hansen*
> 
> Senior Linux Engineer
> 
> Casalogic A/S
> 
> T  (+45) 70 20 10 63
> 
> M (+45) 22 43 71 57
> 
> <http://www.casalogic.dk/signatur/th.vcf> 
> <http://www.linkedin.com/company/67524> <http://twitter.com/casalogic>
> Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, 
> Sophos og meget mere.
> 
> 
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> 


-- 
Tony Albers
Systems administrator, IT-development
Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
Tel: +45 2566 2383 / +45 8946 2316
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to