Skip to main content
NetApp Knowledge Base

False time skew errors KRB5KRB_AP_ERR_SKEW observed between SVM and DC

Views:
3,069
Visibility:
Public
Votes:
1
Category:
ontap-9
Specialty:
nas
Last Updated:

Applies to

  • ONTAP 9.3 to ONTAP 9.8
  • SMB 2
  • SMB 3

Issue

  • EMS logs display there was a time skew between SVM and DC:

cluster::*> event log show -event secd*
 Node             Severity      Event
 ---------------- ------------- ---------------------------
 cluster-01   ERROR         secd.cifsAuth.problem: vserver (svm) General CIFS authentication problem. Error: User authentication procedure failed
CIFS SMB2 Share mapping - Client Ip = 10.216.yy.xx
  [  5 ms] Error accepting security context for Vserver identifier (3). Cluster and Domain Controller times differ by more than the configured clock skew (KRB5KRB_AP_ERR_SKEW).
**[     7] FAILURE: CIFS authentication failed

1/3/2024 08:21:30 Netappnas001-02 ERROR secd.kerberos.tktnyv: Kerberos client ticket not yet valid for vserver (svmcifs) client IP (10.101.81.16).

  • SECD logs shows:

[kern_secd:info:8459] .------------------------------------------------------------------------------.
[kern_secd:info:8459] |                                 RPC FAILURE:                                 |
[kern_secd:info:8459] |                      secd_rpc_auth_extended has failed                       |
[kern_secd:info:8459] |                          Result = 0, RPC Result = 4                          |
[kern_secd:info:8459] |                   RPC received at Mon Apr 29 11:09:01 2019                   |
[kern_secd:info:8459] |------------------------------------------------------------------------------'
[kern_secd:info:8459] Failure Summary:
[kern_secd:info:8459] Error: User authentication procedure failed
[kern_secd:info:8459] CIFS SMB2 Share mapping - Client Ip = 10.216.yy.xx
[kern_secd:info:8459]   [  5 ms] Error accepting security context for Vserver identifier (3). Cluster and Domain Controller times differ by more than the configured clock skew (KRB5KRB_AP_ERR_SKEW).
[kern_secd:info:8459] **[     7] FAILURE: CIFS authentication failed

  • SVM has active connections to DC.

cluster::*> vserver  cifs domain  discovered-servers  show -vserver  svm
Node: cdot-01
Vserver: svm
Domain Name     Type     Preference DC-Name         DC-Address      Status
--------------- -------- ---------- --------------- --------------- ---------
naslab.local    KERBEROS adequate   WIN-OBK6KRHGRH5 xx.yy.zz.30    undetermined
naslab.local    KERBEROS adequate   WIN-RH1QTMQCSIK xx.yy.zz.42    undetermined
naslab.local    KERBEROS preferred  win-aesid9bf636 xx.yy.zz.191   undetermined
naslab.local    KERBEROS preferred  win-k8f679t5rhm xx.yy.zz.190   undetermined
naslab.local    MS-LDAP  preferred  win-aesid9bf636 xx.yy.zz.191   OK
naslab.local    MS-LDAP  preferred  win-k8f679t5rhm xx.yy.zz.190   OK

naslab.local    MS-LDAP  adequate   win-obk6krhgrh5 xx.yy.zz.30    undetermined
naslab.local    MS-LDAP  adequate   win-rh1qtmqcsik xx.yy.zz.42    undetermined
naslab.local    MS-DC    adequate   WIN-OBK6KRHGRH5 xx.yy.zz.30    undetermined
naslab.local    MS-DC    preferred  win-aesid9bf636 xx.yy.zz.191   undetermined
naslab.local    MS-DC    preferred  win-k8f679t5rhm xx.yy.zz.190   OK
naslab.local    MS-DC    adequate   win-rh1qtmqcsik xx.yy.zz.42    undetermined
12 entries were displayed.

  • When we check the date and time on SVM and DC, there is no SKEW and they are in sync. 
  • No impact reported by users.

 

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.