メインコンテンツまでスキップ

SVM と DC 間で観察された誤った時間スキューエラー「クラスタとドメインコントローラの時間が、設定されているクロックスキュー( krb5krb_ap_err_skew )よりも大きく異なる」

Views:
305
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
cifs
Last Updated:

のしんだ

に適用されます

clustered Data ONTAP 9.3+

SMB 2

SMB 3

問題

  • EMS ログには、 SVM と DC の間にタイムスキューが発生したことが表示されます。

cluster::*> event log show -event secd*
Time                Node             Severity      Event
------------------- ---------------- ------------- ---------------------------
4/29/2019 11:09:01  cdot-vsim10-01   ERROR         secd.cifsAuth.problem: vserver (svm) General CIFS authentication problem. Error: User authentication procedure failed
CIFS SMB2 Share mapping - Client Ip = 10.216.yy.xx
  [  5 ms] Error accepting security context for Vserver identifier (3). Cluster and Domain Controller times differ by more than the configured clock skew (KRB5KRB_AP_ERR_SKEW).
**[     7] FAILURE: CIFS authentication failed

  • Secd ログには次の情報が表示

00000018.000079a0 00fcae75 Mon Apr 29 2019 11:09:01 +05:30 [kern_secd:info:8459] .------------------------------------------------------------------------------.
00000018.000079a1 00fcae75 Mon Apr 29 2019 11:09:01 +05:30 [kern_secd:info:8459] |                                 RPC FAILURE:                                 |
00000018.000079a2 00fcae75 Mon Apr 29 2019 11:09:01 +05:30 [kern_secd:info:8459] |                      secd_rpc_auth_extended has failed                       |
00000018.000079a3 00fcae75 Mon Apr 29 2019 11:09:01 +05:30 [kern_secd:info:8459] |                          Result = 0, RPC Result = 4                          |
00000018.000079a4 00fcae75 Mon Apr 29 2019 11:09:01 +05:30 [kern_secd:info:8459] |                   RPC received at Mon Apr 29 11:09:01 2019                   |
00000018.000079a5 00fcae75 Mon Apr 29 2019 11:09:01 +05:30 [kern_secd:info:8459] |------------------------------------------------------------------------------'
00000018.000079a6 00fcae75 Mon Apr 29 2019 11:09:01 +05:30 [kern_secd:info:8459] Failure Summary:
00000018.000079a7 00fcae75 Mon Apr 29 2019 11:09:01 +05:30 [kern_secd:info:8459] Error: User authentication procedure failed
00000018.000079a8 00fcae75 Mon Apr 29 2019 11:09:01 +05:30 [kern_secd:info:8459] CIFS SMB2 Share mapping - Client Ip = 10.216.yy.xx
00000018.000079a9 00fcae75 Mon Apr 29 2019 11:09:01 +05:30 [kern_secd:info:8459]   [  5 ms] Error accepting security context for Vserver identifier (3). Cluster and Domain Controller times differ by more than the configured clock skew (KRB5KRB_AP_ERR_SKEW).
00000018.000079aa 00fcae75 Mon Apr 29 2019 11:09:01 +05:30 [kern_secd:info:8459] **[     7] FAILURE: CIFS authentication failed

  • SVM に DC へのアクティブな接続があります

cluster::*> vserver  cifs domain  discovered-servers  show -vserver  svm
Node: cdot-01
Vserver: svm
Domain Name     Type     Preference DC-Name         DC-Address      Status
--------------- -------- ---------- --------------- --------------- ---------
naslab.local    KERBEROS adequate   WIN-OBK6KRHGRH5 xx.yy.zz.30    undetermined
naslab.local    KERBEROS adequate   WIN-RH1QTMQCSIK xx.yy.zz.42    undetermined
naslab.local    KERBEROS preferred  win-aesid9bf636 xx.yy.zz.191   undetermined
naslab.local    KERBEROS preferred  win-k8f679t5rhm xx.yy.zz.190   undetermined
naslab.local    MS-LDAP  preferred  win-aesid9bf636 xx.yy.zz.191   OK
naslab.local    MS-LDAP  preferred  win-k8f679t5rhm xx.yy.zz.190   OK

naslab.local    MS-LDAP  adequate   win-obk6krhgrh5 xx.yy.zz.30    undetermined
naslab.local    MS-LDAP  adequate   win-rh1qtmqcsik xx.yy.zz.42    undetermined
naslab.local    MS-DC    adequate   WIN-OBK6KRHGRH5 xx.yy.zz.30    undetermined
naslab.local    MS-DC    preferred  win-aesid9bf636 xx.yy.zz.191   undetermined
naslab.local    MS-DC    preferred  win-k8f679t5rhm xx.yy.zz.190   OK
naslab.local    MS-DC    adequate   win-rh1qtmqcsik xx.yy.zz.42    undetermined
12 entries were displayed.


SVM と DC の日付と時刻を確認すると、スキューは発生せず、同期されます。 
また、どのユーザからも影響は報告されません。

 

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

Scan to view the article on your device