Subscribe
Accepted Solution

secd.cifsAuth.problem: KRB5KRB_AP_ERR_SKEW

At the end of October we updated our FAS8040 to ONTAP 9.2P1. Since then we get the message "secd.cifsAuth.problem: vserver (SVM_NAME) General CIFS authentication problem on all SVMs Error: User authentication procedure failed CIFS SMB2 Share mapping - Client Ip = xxx.xx.xx.xxx [3 ms ] Error accepting security context for Vserver identifier (27). Cluster and Domain Controller times differ by more than the configured clock skew (KRB5KRB_AP_ERR_SKEW). ** [6] FAILURE: CIFS authentication failed ". We have checked the times on the SVMs and the affected servers / clients, they are the same everywhere. We only use one NTP server, which is defined on each system.

Re: secd.cifsAuth.problem: KRB5KRB_AP_ERR_SKEW

Hi,

 

Did you log a case? If so what's the case number? Does the vserver have a route and can it connect to a DC and your NTP server?

Also have you checked the timezone on the cluster is correct? Have you checked the firewall policy on the vserver management LIFs?

Assuming you have configured and validated NTP configuration on the cluster. EG:

 

cluster::> cluster time-service ntp server create -server x.x.x.x -is-preferred true
cluster::> cluster time-service ntp server validate -server x.x.x.x
cluster::> cluster time-service ntp server show

 

What's the output of the above underlined commands?

 

/Matt

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

Re: secd.cifsAuth.problem: KRB5KRB_AP_ERR_SKEW

Hi Matt,

 

Did you log a case? No, no case yet.

Does the vserver have a route and can it connect to a DC and your NTP server? Yes. All concerned vserver have a route to the DC and to our NTP server.

Also have you checked the timezone on the cluster is correct? Yes, the cluster time is correct and it's the same time as on our Windows-server.

Have you checked the firewall policy on the vserver management LIFs? We have no firewall policy on the management LIF's.

 

Here is the desired output of the given commands:

 

cluster time-service ntp server validate -server xxx.xx.xxx.xxx :

"Error: "validate" is not a recognized command"

 

cluster time-service ntp server show

Server                         Version
------------------------------ -------
ntp.stadtdo.de                 auto

 

 

Regards,

Thorsten

Re: secd.cifsAuth.problem: KRB5KRB_AP_ERR_SKEW

Hi Thorsten,

 

I forgot to mention the "validate" command is only available in diag mode. EG:

 

cluster1::> timezone
    Timezone: Australia/Sydney

cluster1::> set diag

Warning: These diagnostic commands are for use by NetApp personnel only.
Do you want to continue? {y|n}: y

cluster1::*> cluster time-service ntp server
    create   delete   modify   reset    show     validate

cluster1::> cluster time-service ntp server show
Server                         Version
------------------------------ -------
ntp.testlab.local              auto

cluster1::*> cluster time-service ntp server validate -server ntp.testlab.local

Does the cluster management LIF have a firewall policy and does that firewall policy allow NTP and DNS? EG:

 

cluster1::*> net int show -role cluster-mgmt -fields firewall-policy
  (network interface show)
vserver  lif                firewall-policy
-------- ------------------ ---------------
cluster1 cluster1_mgmt_lif1 mgmt

cluster1::*> firewall policy show -vserver cluster1 -policy mgmt
  (system services firewall policy show)
Vserver Policy       Service    Allowed
------- ------------ ---------- -------------------
cluster1
        mgmt
                     dns        0.0.0.0/0
                     http       0.0.0.0/0
                     https      0.0.0.0/0
                     ndmp       0.0.0.0/0
                     ndmps      0.0.0.0/0
                     ntp        0.0.0.0/0
                     snmp       0.0.0.0/0
                     ssh        0.0.0.0/0
8 entries were displayed.

Are clients denied access when connecting to the vserver? If so what's their registry value of:

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA
Value: RestrictAnonymous
Value Type: REG_DWORD
Value Data: 0x1 (Hex)

It does sound like your NTP configuration is correct, therefore i'd advise the next step would be to log a case

 

/Matt

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

Re: secd.cifsAuth.problem: KRB5KRB_AP_ERR_SKEW

Hello Matt,

 

Here are the results of the commands:

 

FAS80402::> timezone
    Timezone: Europe/Berlin

 

 

FAS80402::*> cluster time-service ntp server show
                                        Is-Preferred Is-Public
Server                         Version  Server       Server Default
------------------------------ -------- ------------ --------------
ntp.stadtdo.de                 auto     true         false

 

 

FAS80402::*> cluster time-service ntp server validate -server ntp.stadtdo.de

 

 

FAS80402::*> net int show -role cluster-mgmt -fields firewall-policy
  (network interface show)
vserver  lif          firewall-policy
-------- ------------ ---------------
FAS80402 cluster_mgmt mgmt

 


FAS80402::*> firewall policy show -vserver FAS80402 -policy mgmt
  (system services firewall policy show)
Vserver Policy       Service    Allowed
------- ------------ ---------- -------------------
FAS80402
        mgmt
                     dns        0.0.0.0/0
                     http       0.0.0.0/0
                     https      0.0.0.0/0
                     ndmp       0.0.0.0/0
                     ndmps      0.0.0.0/0
                     ntp        0.0.0.0/0
                     snmp       0.0.0.0/0
                     ssh        0.0.0.0/0
8 entries were displayed.

 

I once searched for the entry you mentioned using regedit on one of the affected servers. Here is the result (see the attached file).

 

 

Regards,

Thorsten

 

Re: secd.cifsAuth.problem: KRB5KRB_AP_ERR_SKEW

[ Edited ]

Although we have no solution for the messages in our Event Log, but this notice from NetApp from 27.11.2017 get to our message:

https://kb.netapp.com/app/answers/answer_view/a_id/1005337/loc/en_US

and

https://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=1041972