krb5 and clock skew
Eugene M. Zheganin
emz at norma.perm.ru
Fri Nov 12 10:48:34 UTC 2010
Panic on em(4) in vlan environment (after upgrade from 7.2-RELEASE to
8.1-RELEASE) forced me to use 8.1-STABLE (built 2 days ago) on one of my
productions. Almost all is fine now except of two things, which I
decided to split in two letters.
This one is about my kerberos setup.
I have a windows 2008 server which acts as AD domain controller, thus
I have a bunch of various FreeBSD 7.x/8.0 around, and I have this
particular FreeBSD 8.1-STABLE, lets name it 'A'.
'A' is a primary ntp server, which is a preferred and only peer for many
of others FreeBSD servers around.
'A' is synced to some WAN hosts of 1st stratum.
All of 'others' FreeBSD are synced to 'A'.
KDC is also synced to 'A'.
'A' and 'others' FreeBSD have Kerberos V deployed, with identical
configs that point to KDC (win 2008).
All of the machines have user 'emz', which for FreeBSDs is local user
and for KDC is domain user.
The problem is, that 'others' FreeBSD can request tickets for emz with
kinit, but when I'm issuing 'kinit' command on 'A' I'm always getting
'Clock skew too great'. As I said, the time is synced between KDC and 'A'.
I've looked into win 2008 event logs, it says 'reason 0x25', which means
'Clock skew too great', I've looked into tcpdump just to see that
packets coming from KDC contain the same error. I've installed heimdal
1.4 from ports, used it's /usr/local/bin/kinit but situation was the same.
However this setup was working on this server for years, even on 8.1
(during the moments between panics :)) and it was broken after the
upgrade to 8.1-STABLE.
How can I solve this ?
More information about the freebsd-stable