Skip to main content
NetApp Response to Russia-Ukraine Cyber Threat
In response to the recent rise in cyber threat due to the Russian-Ukraine crisis, NetApp is actively monitoring the global security intelligence and updating our cybersecurity measures. We follow U.S. Federal Government guidance and remain on high alert. Customers are encouraged to monitor the Cybersecurity and Infrastructure Security (CISA) website for new information as it develops and remain on high alert.
NetApp Knowledge Base

False time skew errors observed between SVM and DC "Cluster and Domain Controller times differ by more than the configured clock skew (KRB5KRB_AP_ERR_SKEW)"

Views:
1,826
Visibility:
Public
Votes:
1
Category:
ontap-9
Specialty:
cifs
Last Updated:

Applies to

  • ONTAP 9.3+
  • SMB 2
  • SMB 3

Issue

  • EMS logs display there was a time skew between SVM and DC:

cluster::*> event log show -event secd*
 Node             Severity      Event
 ---------------- ------------- ---------------------------
 cluster-01   ERROR         secd.cifsAuth.problem: vserver (svm) General CIFS authentication problem. Error: User authentication procedure failed
CIFS SMB2 Share mapping - Client Ip = 10.216.yy.xx
  [  5 ms] Error accepting security context for Vserver identifier (3). Cluster and Domain Controller times differ by more than the configured clock skew (KRB5KRB_AP_ERR_SKEW).
**[     7] FAILURE: CIFS authentication failed

  • SECD logs shows:

[kern_secd:info:8459] .------------------------------------------------------------------------------.
[kern_secd:info:8459] |                                 RPC FAILURE:                                 |
[kern_secd:info:8459] |                      secd_rpc_auth_extended has failed                       |
[kern_secd:info:8459] |                          Result = 0, RPC Result = 4                          |
[kern_secd:info:8459] |                   RPC received at Mon Apr 29 11:09:01 2019                   |
[kern_secd:info:8459] |------------------------------------------------------------------------------'
[kern_secd:info:8459] Failure Summary:
[kern_secd:info:8459] Error: User authentication procedure failed
[kern_secd:info:8459] CIFS SMB2 Share mapping - Client Ip = 10.216.yy.xx
[kern_secd:info:8459]   [  5 ms] Error accepting security context for Vserver identifier (3). Cluster and Domain Controller times differ by more than the configured clock skew (KRB5KRB_AP_ERR_SKEW).
[kern_secd:info:8459] **[     7] FAILURE: CIFS authentication failed

  • SVM has active connections to DC.

cluster::*> vserver  cifs domain  discovered-servers  show -vserver  svm
Node: cdot-01
Vserver: svm
Domain Name     Type     Preference DC-Name         DC-Address      Status
--------------- -------- ---------- --------------- --------------- ---------
naslab.local    KERBEROS adequate   WIN-OBK6KRHGRH5 xx.yy.zz.30    undetermined
naslab.local    KERBEROS adequate   WIN-RH1QTMQCSIK xx.yy.zz.42    undetermined
naslab.local    KERBEROS preferred  win-aesid9bf636 xx.yy.zz.191   undetermined
naslab.local    KERBEROS preferred  win-k8f679t5rhm xx.yy.zz.190   undetermined
naslab.local    MS-LDAP  preferred  win-aesid9bf636 xx.yy.zz.191   OK
naslab.local    MS-LDAP  preferred  win-k8f679t5rhm xx.yy.zz.190   OK

naslab.local    MS-LDAP  adequate   win-obk6krhgrh5 xx.yy.zz.30    undetermined
naslab.local    MS-LDAP  adequate   win-rh1qtmqcsik xx.yy.zz.42    undetermined
naslab.local    MS-DC    adequate   WIN-OBK6KRHGRH5 xx.yy.zz.30    undetermined
naslab.local    MS-DC    preferred  win-aesid9bf636 xx.yy.zz.191   undetermined
naslab.local    MS-DC    preferred  win-k8f679t5rhm xx.yy.zz.190   OK
naslab.local    MS-DC    adequate   win-rh1qtmqcsik xx.yy.zz.42    undetermined
12 entries were displayed.

  • When we check the date and time on SVM and DC, there is no SKEW and they are in sync. 
  • No impact reported by users.

 

Scan to view the article on your device
CUSTOMER EXCLUSIVE CONTENT

Registered NetApp customers get unlimited access to our dynamic Knowledge Base.

New authoritative content is published and updated each day by our team of experts.

Current Customer or Partner?

Sign In for unlimited access

New to NetApp?

Learn more about our award-winning Support