Hi
We have set up IPA with AD trust on RHEL and this Works fine.
Running IPA 4.5
However, sometimes we are unable to mount home (with autofs).
I have fount that the KDC claims "Clock skew too great" however, I cannot see
any problems.
kinit works fine and I have a kerberos TGT:
klist
Ticket cache: KEYRING:persistent:0:0
Default principal: USER@REALM
Valid starting Expires Service principal
09/06/2017 09:40:00 09/06/2017 19:40:00 krbtgt/REALM@REALM
renew until 09/07/2017 09:39:54
To test. Manually mounting fails:
mount.nfs4 -v -s -o rw,nodev,nosuid,hard,sec=krb5p
profil01.domain:/var/nfs/profil/user/mnt/
mount.nfs4: timeout set for Wed Sep 6 09:42:29 2017
mount.nfs4: trying text-based options
'hard,sec=krb5p,sloppy,addr=10.101.173.91,clientaddr=10.101.11.195'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting
profil01.domain:/var/nfs/profil/user
krb5kdc.log in IPA shows:
Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): TGS_REQ (6 etypes {18 17 16
23 25 26}) 10.101.11.195: PROCESS_TGS: authtime 0, host/oas08d.domain@REALM for
nfs/profil01.domain@REALM, Clock skew too great
Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): closing down fd 11
Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): TGS_REQ (4 etypes {18 17 16
23}) 10.101.11.195: PROCESS_TGS: authtime 0, host/oas08d.domain@REALM for
nfs/profil01.domain@REALM, Clock skew too great
Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): closing down fd 11
However, the time between ipa, client and nfs server is within 1 second (and
same timezone).
I'm unsure on how to debug further as everything seems fine so any help would
be appreciated.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
