Hi

We have set up IPA with AD trust on RHEL and this Works fine.

Running IPA 4.5

However, sometimes we are unable to mount home (with autofs).

I have fount that the KDC claims "Clock skew too great" however, I cannot see any problems.

kinit works fine and I have a kerberos TGT:

 klist
Ticket cache: KEYRING:persistent:0:0
Default principal: USER@REALM

Valid starting       Expires              Service principal
09/06/2017 09:40:00  09/06/2017 19:40:00  krbtgt/REALM@REALM
        renew until 09/07/2017 09:39:54

To test. Manually mounting fails:

mount.nfs4 -v -s -o rw,nodev,nosuid,hard,sec=krb5p profil01.domain:/var/nfs/profil/user/mnt/
mount.nfs4: timeout set for Wed Sep  6 09:42:29 2017
mount.nfs4: trying text-based options 'hard,sec=krb5p,sloppy,addr=10.101.173.91,clientaddr=10.101.11.195'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting profil01.domain:/var/nfs/profil/user

krb5kdc.log in IPA shows:

Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.101.11.195: PROCESS_TGS: authtime 0,  host/oas08d.domain@REALM for nfs/profil01.domain@REALM, Clock skew too great
Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): closing down fd 11
Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): TGS_REQ (4 etypes {18 17 16 23}) 10.101.11.195: PROCESS_TGS: authtime 0,  host/oas08d.domain@REALM for nfs/profil01.domain@REALM, Clock skew too great
Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): closing down fd 11

However, the time between ipa, client and nfs server is within 1 second (and same timezone).

I'm unsure on how to debug further as everything seems fine so any help would be appreciated.

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org