HiWe have set up IPA with AD trust on RHEL and this Works fine.Running IPA 4.5However, sometimes we are unable to mount home (with autofs).I have fount that the KDC claims "Clock skew too great" however, I cannot see any problems.kinit works fine and I have a kerberos TGT:klist
Ticket cache: KEYRING:persistent:0:0
Default principal: USER@REALMValid starting Expires Service principal
09/06/2017 09:40:00 09/06/2017 19:40:00 krbtgt/REALM@REALM
renew until 09/07/2017 09:39:54
To test. Manually mounting fails:
mount.nfs4 -v -s -o rw,nodev,nosuid,hard,sec=krb5p profil01.domain:/var/nfs/profil/user/mnt/
mount.nfs4: timeout set for Wed Sep 6 09:42:29 2017
mount.nfs4: trying text-based options 'hard,sec=krb5p,sloppy,addr=10.101.173.91,clientaddr=10.101.11.195'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting profil01.domain:/var/nfs/profil/user
krb5kdc.log in IPA shows:
Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.101.11.195: PROCESS_TGS: authtime 0, host/oas08d.domain@REALM for nfs/profil01.domain@REALM, Clock skew too great
Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): closing down fd 11
Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): TGS_REQ (4 etypes {18 17 16 23}) 10.101.11.195: PROCESS_TGS: authtime 0, host/oas08d.domain@REALM for nfs/profil01.domain@REALM, Clock skew too great
Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): closing down fd 11
However, the time between ipa, client and nfs server is within 1 second (and same timezone).
I'm unsure on how to debug further as everything seems fine so any help would be appreciated.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org