Hi We have set up IPA with AD trust on RHEL and this Works fine.
Running IPA 4.5 However, sometimes we are unable to mount home (with autofs). I have fount that the KDC claims "Clock skew too great" however, I cannot see any problems. kinit works fine and I have a kerberos TGT: klist Ticket cache: KEYRING:persistent:0:0 Default principal: USER@REALM Valid starting Expires Service principal 09/06/2017 09:40:00 09/06/2017 19:40:00 krbtgt/REALM@REALM renew until 09/07/2017 09:39:54 To test. Manually mounting fails: mount.nfs4 -v -s -o rw,nodev,nosuid,hard,sec=krb5p profil01.domain:/var/nfs/profil/user/mnt/ mount.nfs4: timeout set for Wed Sep 6 09:42:29 2017 mount.nfs4: trying text-based options 'hard,sec=krb5p,sloppy,addr=10.101.173.91,clientaddr=10.101.11.195' mount.nfs4: mount(2): Permission denied mount.nfs4: access denied by server while mounting profil01.domain:/var/nfs/profil/user krb5kdc.log in IPA shows: Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.101.11.195: PROCESS_TGS: authtime 0, host/oas08d.domain@REALM for nfs/profil01.domain@REALM, Clock skew too great Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): closing down fd 11 Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): TGS_REQ (4 etypes {18 17 16 23}) 10.101.11.195: PROCESS_TGS: authtime 0, host/oas08d.domain@REALM for nfs/profil01.domain@REALM, Clock skew too great Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): closing down fd 11 However, the time between ipa, client and nfs server is within 1 second (and same timezone). I'm unsure on how to debug further as everything seems fine so any help would be appreciated.
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org