krb5 and clock skew

Eugene M. Zheganin emz at
Fri Nov 12 10:48:34 UTC 2010


Panic on em(4) in vlan environment (after upgrade from 7.2-RELEASE to 
8.1-RELEASE) forced me to use 8.1-STABLE (built 2 days ago) on one of my 
productions. Almost all is fine now except of two things, which I 
decided to split in two letters.

This one is about my kerberos setup.
I have a windows 2008 server which acts as AD domain controller, thus 
implying KDC.
I have a bunch of various FreeBSD 7.x/8.0 around, and I have this 
particular FreeBSD 8.1-STABLE, lets name it 'A'.

'A' is a primary ntp server, which is a preferred and only peer for many 
of others FreeBSD servers around.
'A' is synced to some WAN hosts of 1st stratum.
All of 'others' FreeBSD are synced to 'A'.
KDC is also synced to 'A'.
'A' and 'others' FreeBSD have Kerberos V deployed, with identical 
configs that point to KDC (win 2008).
All of the machines have user 'emz', which for FreeBSDs is local user 
and for KDC is domain user.

The problem is, that 'others' FreeBSD can request tickets for emz with 
kinit, but when I'm issuing 'kinit' command on 'A' I'm always getting 
'Clock skew too great'. As I said, the time is synced between KDC and 'A'.

I've looked into win 2008 event logs, it says 'reason 0x25', which means 
'Clock skew too great', I've looked into tcpdump just to see that 
packets coming from KDC contain the same error. I've installed heimdal 
1.4 from ports, used it's /usr/local/bin/kinit but situation was the same.

However this setup was working on this server for years, even on 8.1 
(during the moments between panics :)) and it was broken after the 
upgrade to 8.1-STABLE.

How can I solve this ?


More information about the freebsd-stable mailing list