CIFS is inaccessible with KRB5KRB_AP_ERR_SKEW due to NTP rejected
Applies to
- ONTAP 9
- CIFS
- Kerberos
Issue
- All Windows clients lost access to CIFS shares.
- Error seen in SECD:
Sun Jul 19 2020 16:49:44 [kern_secd:info:8268] | info : Cluster and Domain Controller times differ by more than the configured clock skew (KRB5KRB_AP_ERR_SKEW)
- The NTP status show both configured NTP servers are being rejected due to excessive time skew:
NODE01::> set -privilege advanced
NODE01*::> cluster time-service ntp status show -node * -instance
Node: NODE01
NTP Server Host Name, IPv4 or IPv6 Address: 10.1.2.2
Server IP Address: 10.1.2.2
Is Peer Reachable and Responding to Polls?: true
Is Peer Selected as Clock Source?: true
State of Server Selection: sys_peer
Description of Server Selection State: Server Rejected for Excessive Skew
Time from Last Poll (secs): 422
Offset from Server Time (ms): 13.77
Delay Time to Server (ms): 0.363
Maximum Offset Error (ms): 9.495
Reachability of Server: ff
Stratum of Server Clock: 2
Reference Clock at Server: 10.1.10.10
Reported Packet and Peer Errors: -
Node: NODE01
NTP Server Host Name, IPv4 or IPv6 Address: 10.1.1.3
Server IP Address: 10.1.1.3
Is Peer Reachable and Responding to Polls?: true
Is Peer Selected as Clock Source?: false
State of Server Selection: outlyer
Description of Server Selection State: Server Rejected for Excessive Skew
Poll Interval (secs): 524
Time from Last Poll (secs): 345
Offset from Server Time (ms): 15.796
Delay Time to Server (ms): 0.426
Maximum Offset Error (ms): 8.861
Reachability of Server: ff
Stratum of Server Clock: 3
Reference Clock at Server: 10.1.10.10
Reported Packet and Peer Errors: -