False time skew errors KRB5KRB_AP_ERR_SKEW observed between SVM and DC
Applies to
- ONTAP 9.3 to ONTAP 9.8
- SMB 2
- SMB 3
Issue
- EMS logs display there was a time skew between SVM and DC:
cluster::*> event log show -event secd*
Node Severity Event
---------------- ------------- ---------------------------
cluster-01 ERROR secd.cifsAuth.problem: vserver (svm) General CIFS authentication problem. Error: User authentication procedure failed
CIFS SMB2 Share mapping - Client Ip = 10.216.yy.xx
[ 5 ms] Error accepting security context for Vserver identifier (3). Cluster and Domain Controller times differ by more than the configured clock skew (KRB5KRB_AP_ERR_SKEW).
**[ 7] FAILURE: CIFS authentication failed
1/3/2024 08:21:30 Netappnas001-02 ERROR secd.kerberos.tktnyv: Kerberos client ticket not yet valid for vserver (svmcifs) client IP (10.101.81.16).
- SECD logs shows:
[kern_secd:info:8459] .------------------------------------------------------------------------------.
[kern_secd:info:8459] | RPC FAILURE: |
[kern_secd:info:8459] | secd_rpc_auth_extended has failed |
[kern_secd:info:8459] | Result = 0, RPC Result = 4 |
[kern_secd:info:8459] | RPC received at Mon Apr 29 11:09:01 2019 |
[kern_secd:info:8459] |------------------------------------------------------------------------------'
[kern_secd:info:8459] Failure Summary:
[kern_secd:info:8459] Error: User authentication procedure failed
[kern_secd:info:8459] CIFS SMB2 Share mapping - Client Ip = 10.216.yy.xx
[kern_secd:info:8459] [ 5 ms] Error accepting security context for Vserver identifier (3). Cluster and Domain Controller times differ by more than the configured clock skew (KRB5KRB_AP_ERR_SKEW).
[kern_secd:info:8459] **[ 7] FAILURE: CIFS authentication failed
- SVM has active connections to DC.
cluster::*> vserver cifs domain discovered-servers show -vserver svm
Node: cdot-01
Vserver: svm
Domain Name Type Preference DC-Name DC-Address Status
--------------- -------- ---------- --------------- --------------- ---------
naslab.local KERBEROS adequate WIN-OBK6KRHGRH5 xx.yy.zz.30 undetermined
naslab.local KERBEROS adequate WIN-RH1QTMQCSIK xx.yy.zz.42 undetermined
naslab.local KERBEROS preferred win-aesid9bf636 xx.yy.zz.191 undetermined
naslab.local KERBEROS preferred win-k8f679t5rhm xx.yy.zz.190 undetermined
naslab.local MS-LDAP preferred win-aesid9bf636 xx.yy.zz.191 OK
naslab.local MS-LDAP preferred win-k8f679t5rhm xx.yy.zz.190 OK
naslab.local MS-LDAP adequate win-obk6krhgrh5 xx.yy.zz.30 undetermined
naslab.local MS-LDAP adequate win-rh1qtmqcsik xx.yy.zz.42 undetermined
naslab.local MS-DC adequate WIN-OBK6KRHGRH5 xx.yy.zz.30 undetermined
naslab.local MS-DC preferred win-aesid9bf636 xx.yy.zz.191 undetermined
naslab.local MS-DC preferred win-k8f679t5rhm xx.yy.zz.190 OK
naslab.local MS-DC adequate win-rh1qtmqcsik xx.yy.zz.42 undetermined
12 entries were displayed.
- When we check the date and time on SVM and DC, there is no SKEW and they are in sync.
- No impact reported by users.