Hi
We have set up IPA with AD trust on RHEL and this Works fine.
Running IPA 4.5
However, sometimes we are unable to mount home (with autofs).
I have fount that the KDC claims "Clock skew too great" however, I cannot see any problems.
kinit works fine and I have a kerberos TGT:
klist Ticket cache: KEYRING:persistent:0:0 Default principal: USER@REALM
Valid starting Expires Service principal 09/06/2017 09:40:00 09/06/2017 19:40:00 krbtgt/REALM@REALM renew until 09/07/2017 09:39:54
To test. Manually mounting fails:
mount.nfs4 -v -s -o rw,nodev,nosuid,hard,sec=krb5p profil01.domain:/var/nfs/profil/user/mnt/ mount.nfs4: timeout set for Wed Sep 6 09:42:29 2017 mount.nfs4: trying text-based options 'hard,sec=krb5p,sloppy,addr=10.101.173.91,clientaddr=10.101.11.195' mount.nfs4: mount(2): Permission denied mount.nfs4: access denied by server while mounting profil01.domain:/var/nfs/profil/user
krb5kdc.log in IPA shows:
Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.101.11.195: PROCESS_TGS: authtime 0, host/oas08d.domain@REALM for nfs/profil01.domain@REALM, Clock skew too great Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): closing down fd 11 Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): TGS_REQ (4 etypes {18 17 16 23}) 10.101.11.195: PROCESS_TGS: authtime 0, host/oas08d.domain@REALM for nfs/profil01.domain@REALM, Clock skew too great Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): closing down fd 11
However, the time between ipa, client and nfs server is within 1 second (and same timezone).
I'm unsure on how to debug further as everything seems fine so any help would be appreciated.
Hmm......
Found the error..... It appear its the hardwaretime that's used for kerberos and as the hardware apparently is ~ 6 minutes off....... well....
----- On Sep 6, 2017, at 9:50 AM, Troels Hansen via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hi
We have set up IPA with AD trust on RHEL and this Works fine.
Running IPA 4.5
However, sometimes we are unable to mount home (with autofs).
I have fount that the KDC claims "Clock skew too great" however, I cannot see any problems.
kinit works fine and I have a kerberos TGT:
klist Ticket cache: KEYRING:persistent:0:0 Default principal: USER@REALM
Valid starting Expires Service principal 09/06/2017 09:40:00 09/06/2017 19:40:00 krbtgt/REALM@REALM renew until 09/07/2017 09:39:54
To test. Manually mounting fails:
mount.nfs4 -v -s -o rw,nodev,nosuid,hard,sec=krb5p profil01.domain:/var/nfs/profil/user/mnt/ mount.nfs4: timeout set for Wed Sep 6 09:42:29 2017 mount.nfs4: trying text-based options 'hard,sec=krb5p,sloppy,addr=10.101.173.91,clientaddr=10.101.11.195' mount.nfs4: mount(2): Permission denied mount.nfs4: access denied by server while mounting profil01.domain:/var/nfs/profil/user
krb5kdc.log in IPA shows:
Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.101.11.195: PROCESS_TGS: authtime 0, host/oas08d.domain@REALM for nfs/profil01.domain@REALM, Clock skew too great Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): closing down fd 11 Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): TGS_REQ (4 etypes {18 17 16 23}) 10.101.11.195: PROCESS_TGS: authtime 0, host/oas08d.domain@REALM for nfs/profil01.domain@REALM, Clock skew too great Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): closing down fd 11
However, the time between ipa, client and nfs server is within 1 second (and same timezone).
I'm unsure on how to debug further as everything seems fine so any help would be appreciated.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
If you have VM's in the mix, and use ntp, use tinker panic 0 in their ntp.conf files.
/tony
On 09/06/2017 11:41 AM, Troels Hansen via FreeIPA-users wrote:
Hmm......
Found the error..... It appear its the hardwaretime that's used for kerberos and as the hardware apparently is ~ 6 minutes off....... well....
----- On Sep 6, 2017, at 9:50 AM, Troels Hansen via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hi We have set up IPA with AD trust on RHEL and this Works fine. Running IPA 4.5 However, sometimes we are unable to mount home (with autofs). I have fount that the KDC claims "Clock skew too great" however, I cannot see any problems. kinit works fine and I have a kerberos TGT: klist Ticket cache: KEYRING:persistent:0:0 Default principal: USER@REALM Valid starting Expires Service principal 09/06/2017 09:40:00 09/06/2017 19:40:00 krbtgt/REALM@REALM renew until 09/07/2017 09:39:54 To test. Manually mounting fails: mount.nfs4 -v -s -o rw,nodev,nosuid,hard,sec=krb5p profil01.domain:/var/nfs/profil/user/mnt/ mount.nfs4: timeout set for Wed Sep 6 09:42:29 2017 mount.nfs4: trying text-based options 'hard,sec=krb5p,sloppy,addr=10.101.173.91,clientaddr=10.101.11.195' mount.nfs4: mount(2): Permission denied mount.nfs4: access denied by server while mounting profil01.domain:/var/nfs/profil/user krb5kdc.log in IPA shows: Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.101.11.195: PROCESS_TGS: authtime 0, host/oas08d.domain@REALM for nfs/profil01.domain@REALM, Clock skew too great Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): closing down fd 11 Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): TGS_REQ (4 etypes {18 17 16 23}) 10.101.11.195: PROCESS_TGS: authtime 0, host/oas08d.domain@REALM for nfs/profil01.domain@REALM, Clock skew too great Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): closing down fd 11 However, the time between ipa, client and nfs server is within 1 second (and same timezone). I'm unsure on how to debug further as everything seems fine so any help would be appreciated. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
--
Med venlig hilsen
*Troels Hansen*
Senior Linux Engineer
Casalogic A/S
T (+45) 70 20 10 63
M (+45) 22 43 71 57
http://www.casalogic.dk/signatur/th.vcf http://www.linkedin.com/company/67524 http://twitter.com/casalogic Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Well... as per Red Hat best practice on RHEL7 we use Chrony which also have the ability to sync software time to hardware.
Or at least. should.....
We have discovered that Hyper-V is a s bad as always and that its almost impossible to have a sync'ed hardware and software time, and that some servers (still not on IPA) have a time diff of several hours.
It seems to depend on load. Higher load means higher time-diff.
So the next question is: I cannot find any documentation on Kerberos and software vs hardware time and if its possible to force Kerberos to use software time as this seems to be the only way to get a correct time on Hyper-V?
----- On Sep 6, 2017, at 12:29 PM, Tony Brian Albers via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
If you have VM's in the mix, and use ntp, use tinker panic 0 in their ntp.conf files.
/tony
On 09/06/2017 11:41 AM, Troels Hansen via FreeIPA-users wrote:
Hmm......
Found the error..... It appear its the hardwaretime that's used for kerberos and as the hardware apparently is ~ 6 minutes off....... well....
----- On Sep 6, 2017, at 9:50 AM, Troels Hansen via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hi We have set up IPA with AD trust on RHEL and this Works fine. Running IPA 4.5 However, sometimes we are unable to mount home (with autofs). I have fount that the KDC claims "Clock skew too great" however, I cannot see any problems. kinit works fine and I have a kerberos TGT: klist Ticket cache: KEYRING:persistent:0:0 Default principal: USER@REALM Valid starting Expires Service principal 09/06/2017 09:40:00 09/06/2017 19:40:00 krbtgt/REALM@REALM renew until 09/07/2017 09:39:54 To test. Manually mounting fails: mount.nfs4 -v -s -o rw,nodev,nosuid,hard,sec=krb5p profil01.domain:/var/nfs/profil/user/mnt/ mount.nfs4: timeout set for Wed Sep 6 09:42:29 2017 mount.nfs4: trying text-based options 'hard,sec=krb5p,sloppy,addr=10.101.173.91,clientaddr=10.101.11.195' mount.nfs4: mount(2): Permission denied mount.nfs4: access denied by server while mounting profil01.domain:/var/nfs/profil/user krb5kdc.log in IPA shows: Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.101.11.195: PROCESS_TGS: authtime 0, host/oas08d.domain@REALM for nfs/profil01.domain@REALM, Clock skew too great Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): closing down fd 11 Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): TGS_REQ (4 etypes {18 17 16 23}) 10.101.11.195: PROCESS_TGS: authtime 0, host/oas08d.domain@REALM for nfs/profil01.domain@REALM, Clock skew too great Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): closing down fd 11 However, the time between ipa, client and nfs server is within 1 second (and same timezone). I'm unsure on how to debug further as everything seems fine so any help would be appreciated. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
--
Med venlig hilsen
*Troels Hansen*
Senior Linux Engineer
Casalogic A/S
T (+45) 70 20 10 63
M (+45) 22 43 71 57
http://www.casalogic.dk/signatur/th.vcf http://www.linkedin.com/company/67524 http://twitter.com/casalogic Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
-- Tony Albers Systems administrator, IT-development Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark. Tel: +45 2566 2383 / +45 8946 2316 _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Troels Hansen via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
We have discovered that Hyper-V is a s bad as always and that its almost impossible to have a sync'ed hardware and software time, and that some servers (still not on IPA) have a time diff of several hours.
I don't know what "hardware" and "software" time mean here. On Linux, time is kept by the hardware and accessed by the kernel, both for its own needs and for user space programs.
I cannot find any documentation on Kerberos and software vs hardware time and if its possible to force Kerberos to use software time as this seems to be the only way to get a correct time on Hyper-V?
krb5 works with system time (glorified unix timestamps, in fact). It is not aware of timezones and the like; everything is done in seconds since the epoch.
Basically: time(2) needs to behave correctly, otherwise nothing can be expected to work.
Thanks, --Robbie
----- On Sep 8, 2017, at 5:22 PM, Robbie Harwood rharwood@redhat.com wrote:
I don't know what "hardware" and "software" time mean here. On Linux, time is kept by the hardware and accessed by the kernel, both for its own needs and for user space programs.
What I mean is hardware clock (rtc).
From what I can see Kerberos used the RTC for requesting tickets, thus get a "clock skew too great" even though `date` shows the correct date.
Right now we are kind of giving up om keeping hwclock in sync with sys time on Hyper-V....
I believe there is actually a rtc issue with Hyper-V, rhel guests, and chrony. This sounds like this might be your issue.
freeipa-users@lists.fedorahosted.org