False time skew errors KRB5KRB_AP_ERR_SKEW observed between SVM and DC

Applies to

• ONTAP 9.3 to ONTAP 9.8
• SMB 2
• SMB 3

Issue

• EMS logs display there was a time skew between SVM and DC:

cluster::*> event log show -event secd*
 Node             Severity      Event
 ---------------- ------------- ---------------------------
 cluster-01   ERROR         secd.cifsAuth.problem: vserver (svm) General CIFS authentication problem. Error: User authentication procedure failed
CIFS SMB2 Share mapping - Client Ip = 10.216.yy.xx
  [  5 ms] Error accepting security context for Vserver identifier (3). Cluster and Domain Controller times differ by more than the configured clock skew (KRB5KRB_AP_ERR_SKEW).
**[     7] FAILURE: CIFS authentication failed

1/3/2024 08:21:30 Netappnas001-02 ERROR secd.kerberos.tktnyv: Kerberos client ticket not yet valid for vserver (svmcifs) client IP (10.101.81.16).

• SECD logs shows:

[kern_secd:info:8459] .------------------------------------------------------------------------------.
[kern_secd:info:8459] |                                 RPC FAILURE:                                 |
[kern_secd:info:8459] |                      secd_rpc_auth_extended has failed                       |
[kern_secd:info:8459] |                          Result = 0, RPC Result = 4                          |
[kern_secd:info:8459] |                   RPC received at Mon Apr 29 11:09:01 2019                   |
[kern_secd:info:8459] |------------------------------------------------------------------------------'
[kern_secd:info:8459] Failure Summary:
[kern_secd:info:8459] Error: User authentication procedure failed
[kern_secd:info:8459] CIFS SMB2 Share mapping - Client Ip = 10.216.yy.xx
[kern_secd:info:8459]   [  5 ms] Error accepting security context for Vserver identifier (3). Cluster and Domain Controller times differ by more than the configured clock skew (KRB5KRB_AP_ERR_SKEW).
[kern_secd:info:8459] **[     7] FAILURE: CIFS authentication failed

• SVM has active connections to DC.

cluster::*> vserver  cifs domain  discovered-servers  show -vserver  svm
Node: cdot-01
Vserver: svm
Domain Name     Type     Preference DC-Name         DC-Address      Status
--------------- -------- ---------- --------------- --------------- ---------
naslab.local    KERBEROS adequate   WIN-OBK6KRHGRH5 xx.yy.zz.30    undetermined
naslab.local    KERBEROS adequate   WIN-RH1QTMQCSIK xx.yy.zz.42    undetermined
naslab.local    KERBEROS preferred  win-aesid9bf636 xx.yy.zz.191   undetermined
naslab.local    KERBEROS preferred  win-k8f679t5rhm xx.yy.zz.190   undetermined
naslab.local    MS-LDAP  preferred  win-aesid9bf636 xx.yy.zz.191   OK
naslab.local    MS-LDAP  preferred  win-k8f679t5rhm xx.yy.zz.190   OK
naslab.local    MS-LDAP  adequate   win-obk6krhgrh5 xx.yy.zz.30    undetermined
naslab.local    MS-LDAP  adequate   win-rh1qtmqcsik xx.yy.zz.42    undetermined
naslab.local    MS-DC    adequate   WIN-OBK6KRHGRH5 xx.yy.zz.30    undetermined
naslab.local    MS-DC    preferred  win-aesid9bf636 xx.yy.zz.191   undetermined
naslab.local    MS-DC    preferred  win-k8f679t5rhm xx.yy.zz.190   OK
naslab.local    MS-DC    adequate   win-rh1qtmqcsik xx.yy.zz.42    undetermined
12 entries were displayed.

• When we check the date and time on SVM and DC, there is no SKEW and they are in sync. 
• No impact reported by users.