[Freeipa-users] Re: "Clock skew too great" when mounting NFS with krb

[Aaron Cole via FreeIPA-users]

I believe there is actually a rtc issue with Hyper-V, rhel guests, and chrony. 
This sounds like this might be your issue. 

https://access.redhat.com/solutions/3091301
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: "Clock skew too great" when mounting NFS with krb

[Troels Hansen via FreeIPA-users]

- On Sep 8, 2017, at 5:22 PM, Robbie Harwood rharw...@redhat.com wrote:

> 
> I don't know what "hardware" and "software" time mean here.  On Linux,
> time is kept by the hardware and accessed by the kernel, both for its
> own needs and for user space programs.
> 

What I mean is hardware clock (rtc).

From what I can see Kerberos used the RTC for requesting tickets, thus get a 
"clock skew too great" even though `date` shows the correct date.

Right now we are kind of giving up om keeping hwclock in sync with sys time on 
Hyper-V
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: "Clock skew too great" when mounting NFS with krb

[Robbie Harwood via FreeIPA-users]

Troels Hansen via FreeIPA-users 
writes:

> We have discovered that Hyper-V is a s bad as always and that its
> almost impossible to have a sync'ed hardware and software time, and
> that some servers (still not on IPA) have a time diff of several
> hours.

I don't know what "hardware" and "software" time mean here.  On Linux,
time is kept by the hardware and accessed by the kernel, both for its
own needs and for user space programs.

> I cannot find any documentation on Kerberos and software vs hardware
> time and if its possible to force Kerberos to use software time as
> this seems to be the only way to get a correct time on Hyper-V?

krb5 works with system time (glorified unix timestamps, in fact).  It is
not aware of timezones and the like; everything is done in seconds since
the epoch.

Basically: time(2) needs to behave correctly, otherwise nothing can be
expected to work.

Thanks,
--Robbie


signature.asc
Description: PGP signature
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: "Clock skew too great" when mounting NFS with krb

[Tony Brian Albers via FreeIPA-users]

If you have VM's in the mix, and use ntp,  usetinker panic 0  in 
their ntp.conf files.

/tony

On 09/06/2017 11:41 AM, Troels Hansen via FreeIPA-users wrote:
> Hmm..
> 
> Found the error.   It appear its the hardwaretime that's used for 
> kerberos and as the hardware apparently is ~ 6 minutes off... well
> 
> 
> - On Sep 6, 2017, at 9:50 AM, Troels Hansen via FreeIPA-users 
>  wrote:
> 
> Hi
> 
> We have set up IPA with AD trust on RHEL and this Works fine.
> 
> Running IPA 4.5
> 
> However, sometimes we are unable to mount home (with autofs).
> 
> I have fount that the KDC claims "Clock skew too great" however, I
> cannot see any problems.
> 
> kinit works fine and I have a kerberos TGT:
> 
>   klist
> Ticket cache: KEYRING:persistent:0:0
> Default principal: USER@REALM
> 
> Valid starting   Expires  Service principal
> 09/06/2017 09:40:00  09/06/2017 19:40:00  krbtgt/REALM@REALM
>  renew until 09/07/2017 09:39:54
> 
> 
> 
> To test. Manually mounting fails:
> 
> mount.nfs4 -v -s -o rw,nodev,nosuid,hard,sec=krb5p
> profil01.domain:/var/nfs/profil/user/mnt/
> mount.nfs4: timeout set for Wed Sep  6 09:42:29 2017
> mount.nfs4: trying text-based options
> 'hard,sec=krb5p,sloppy,addr=10.101.173.91,clientaddr=10.101.11.195'
> mount.nfs4: mount(2): Permission denied
> mount.nfs4: access denied by server while mounting
> profil01.domain:/var/nfs/profil/user
> 
> 
> krb5kdc.log in IPA shows:
> 
> Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): TGS_REQ (6 etypes
> {18 17 16 23 25 26}) 10.101.11.195: PROCESS_TGS: authtime 0, 
> host/oas08d.domain@REALM for nfs/profil01.domain@REALM, Clock skew
> too great
> Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): closing down fd 11
> Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): TGS_REQ (4 etypes
> {18 17 16 23}) 10.101.11.195: PROCESS_TGS: authtime 0, 
> host/oas08d.domain@REALM for nfs/profil01.domain@REALM, Clock skew
> too great
> Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): closing down fd 11
> 
> 
> However, the time between ipa, client and nfs server is within 1
> second (and same timezone).
> 
> 
> I'm unsure on how to debug further as everything seems fine so any
> help would be appreciated.
> 
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
> 
> 
> -- 
> 
> Med venlig hilsen
> 
> *Troels Hansen*
> 
> Senior Linux Engineer
> 
> Casalogic A/S
> 
> T  (+45) 70 20 10 63
> 
> M (+45) 22 43 71 57
> 
>  
>  
> Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, 
> Sophos og meget mere.
> 
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> 


-- 
Tony Albers
Systems administrator, IT-development
Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
Tel: +45 2566 2383 / +45 8946 2316
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: "Clock skew too great" when mounting NFS with krb

[Troels Hansen via FreeIPA-users]

Hmm.. 

Found the error. It appear its the hardwaretime that's used for kerberos 
and as the hardware apparently is ~ 6 minutes off... well 

- On Sep 6, 2017, at 9:50 AM, Troels Hansen via FreeIPA-users 
 wrote: 

> Hi

> We have set up IPA with AD trust on RHEL and this Works fine.

> Running IPA 4.5

> However, sometimes we are unable to mount home (with autofs).

> I have fount that the KDC claims "Clock skew too great" however, I cannot see
> any problems.

> kinit works fine and I have a kerberos TGT:

> klist
> Ticket cache: KEYRING:persistent:0:0
> Default principal: USER@REALM

> Valid starting Expires Service principal
> 09/06/2017 09:40:00 09/06/2017 19:40:00 krbtgt/REALM@REALM
> renew until 09/07/2017 09:39:54

> To test. Manually mounting fails:

> mount.nfs4 -v -s -o rw,nodev,nosuid,hard,sec=krb5p
> profil01.domain:/var/nfs/profil/user/mnt/
> mount.nfs4: timeout set for Wed Sep 6 09:42:29 2017
> mount.nfs4: trying text-based options
> 'hard,sec=krb5p,sloppy,addr=10.101.173.91,clientaddr=10.101.11.195'
> mount.nfs4: mount(2): Permission denied
> mount.nfs4: access denied by server while mounting
> profil01.domain:/var/nfs/profil/user

> krb5kdc.log in IPA shows:

> Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): TGS_REQ (6 etypes {18 17 16 
> 23
> 25 26}) 10.101.11.195: PROCESS_TGS: authtime 0, host/oas08d.domain@REALM for
> nfs/profil01.domain@REALM, Clock skew too great
> Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): closing down fd 11
> Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): TGS_REQ (4 etypes {18 17 16
> 23}) 10.101.11.195: PROCESS_TGS: authtime 0, host/oas08d.domain@REALM for
> nfs/profil01.domain@REALM, Clock skew too great
> Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): closing down fd 11

> However, the time between ipa, client and nfs server is within 1 second (and
> same timezone).

> I'm unsure on how to debug further as everything seems fine so any help would 
> be
> appreciated.

> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

-- 

Med venlig hilsen 

Troels Hansen 

Senior Linux Engineer 

Casalogic A/S 

T (+45) 70 20 10 63 

M (+45) 22 43 71 57 

Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og 
meget mere. 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org