Skip to main content
NetApp Knowledgebase

False time skew errors observed between SVM and DC "Cluster and Domain Controller times differ by more than the configured clock skew (KRB5KRB_AP_ERR_SKEW)"

Applies to

Clustered Data ONTAP 9.3+

SMB 2

SMB 3

Issue

  • EMS logs display there was a time skew between SVM and DC:

cluster::*> event log show -event secd*
Time                Node             Severity      Event
------------------- ---------------- ------------- ---------------------------
4/29/2019 11:09:01  cdot-vsim10-01   ERROR         secd.cifsAuth.problem: vserver (svm) General CIFS authentication problem. Error: User authentication procedure failed
CIFS SMB2 Share mapping - Client Ip = 10.216.yy.xx
  [  5 ms] Error accepting security context for Vserver identifier (3). Cluster and Domain Controller times differ by more than the configured clock skew (KRB5KRB_AP_ERR_SKEW).
**[     7] FAILURE: CIFS authentication failed

  • SECD logs shows:

00000018.000079a0 00fcae75 Mon Apr 29 2019 11:09:01 +05:30 [kern_secd:info:8459] .------------------------------------------------------------------------------.
00000018.000079a1 00fcae75 Mon Apr 29 2019 11:09:01 +05:30 [kern_secd:info:8459] |                                 RPC FAILURE:                                 |
00000018.000079a2 00fcae75 Mon Apr 29 2019 11:09:01 +05:30 [kern_secd:info:8459] |                      secd_rpc_auth_extended has failed                       |
00000018.000079a3 00fcae75 Mon Apr 29 2019 11:09:01 +05:30 [kern_secd:info:8459] |                          Result = 0, RPC Result = 4                          |
00000018.000079a4 00fcae75 Mon Apr 29 2019 11:09:01 +05:30 [kern_secd:info:8459] |                   RPC received at Mon Apr 29 11:09:01 2019                   |
00000018.000079a5 00fcae75 Mon Apr 29 2019 11:09:01 +05:30 [kern_secd:info:8459] |------------------------------------------------------------------------------'
00000018.000079a6 00fcae75 Mon Apr 29 2019 11:09:01 +05:30 [kern_secd:info:8459] Failure Summary:
00000018.000079a7 00fcae75 Mon Apr 29 2019 11:09:01 +05:30 [kern_secd:info:8459] Error: User authentication procedure failed
00000018.000079a8 00fcae75 Mon Apr 29 2019 11:09:01 +05:30 [kern_secd:info:8459] CIFS SMB2 Share mapping - Client Ip = 10.216.yy.xx
00000018.000079a9 00fcae75 Mon Apr 29 2019 11:09:01 +05:30 [kern_secd:info:8459]   [  5 ms] Error accepting security context for Vserver identifier (3). Cluster and Domain Controller times differ by more than the configured clock skew (KRB5KRB_AP_ERR_SKEW).
00000018.000079aa 00fcae75 Mon Apr 29 2019 11:09:01 +05:30 [kern_secd:info:8459] **[     7] FAILURE: CIFS authentication failed

  • SVM has active connections to DC.

cluster::*> vserver  cifs domain  discovered-servers  show -vserver  svm
Node: cdot-01
Vserver: svm
Domain Name     Type     Preference DC-Name         DC-Address      Status
--------------- -------- ---------- --------------- --------------- ---------
naslab.local    KERBEROS adequate   WIN-OBK6KRHGRH5 xx.yy.zz.30    undetermined
naslab.local    KERBEROS adequate   WIN-RH1QTMQCSIK xx.yy.zz.42    undetermined
naslab.local    KERBEROS preferred  win-aesid9bf636 xx.yy.zz.191   undetermined
naslab.local    KERBEROS preferred  win-k8f679t5rhm xx.yy.zz.190   undetermined
naslab.local    MS-LDAP  preferred  win-aesid9bf636 xx.yy.zz.191   OK
naslab.local    MS-LDAP  preferred  win-k8f679t5rhm xx.yy.zz.190   OK

naslab.local    MS-LDAP  adequate   win-obk6krhgrh5 xx.yy.zz.30    undetermined
naslab.local    MS-LDAP  adequate   win-rh1qtmqcsik xx.yy.zz.42    undetermined
naslab.local    MS-DC    adequate   WIN-OBK6KRHGRH5 xx.yy.zz.30    undetermined
naslab.local    MS-DC    preferred  win-aesid9bf636 xx.yy.zz.191   undetermined
naslab.local    MS-DC    preferred  win-k8f679t5rhm xx.yy.zz.190   OK
naslab.local    MS-DC    adequate   win-rh1qtmqcsik xx.yy.zz.42    undetermined
12 entries were displayed.


When we check the date and time on SVM and DC, there is no SKEW and they are in sync. 
Also, there is no impact reported by any users.

 

CUSTOMER EXCLUSIVE CONTENT

Registered NetApp customers get unlimited access to our dynamic Knowledge Base.

New authoritative content is published and updated each day by our team of experts.

Current Customer or Partner?

Sign In for unlimited access

New to NetApp?

Learn more about our award-winning Support