在 SVM 和 DC 之间观察到错误的时间偏差 " 集群和域控制器时间因配置的时钟偏差而异( krb5krb_ap_err_歪 斜) "
状态信息
适用于
集群模式 Data ONTAP 9.3+
SMB 2
SMB 3
问题
- EMS 日志显示 SVM 和 DC 之间存在时间偏差:
cluster::*> event log show -event secd*
Time Node Severity Event
------------------- ---------------- ------------- ---------------------------
4/29/2019 11:09:01 cdot-vsim10-01 ERROR secd.cifsAuth.problem: vserver (svm) General CIFS authentication problem. Error: User authentication procedure failed
CIFS SMB2 Share mapping - Client Ip = 10.216.yy.xx
[ 5 ms] Error accepting security context for Vserver identifier (3). Cluster and Domain Controller times differ by more than the configured clock skew (KRB5KRB_AP_ERR_SKEW).
**[ 7] FAILURE: CIFS authentication failed
- Secd 日志显示:
00000018.000079a0 00fcae75 Mon Apr 29 2019 11:09:01 +05:30 [kern_secd:info:8459] .------------------------------------------------------------------------------.
00000018.000079a1 00fcae75 Mon Apr 29 2019 11:09:01 +05:30 [kern_secd:info:8459] | RPC FAILURE: |
00000018.000079a2 00fcae75 Mon Apr 29 2019 11:09:01 +05:30 [kern_secd:info:8459] | secd_rpc_auth_extended has failed |
00000018.000079a3 00fcae75 Mon Apr 29 2019 11:09:01 +05:30 [kern_secd:info:8459] | Result = 0, RPC Result = 4 |
00000018.000079a4 00fcae75 Mon Apr 29 2019 11:09:01 +05:30 [kern_secd:info:8459] | RPC received at Mon Apr 29 11:09:01 2019 |
00000018.000079a5 00fcae75 Mon Apr 29 2019 11:09:01 +05:30 [kern_secd:info:8459] |------------------------------------------------------------------------------'
00000018.000079a6 00fcae75 Mon Apr 29 2019 11:09:01 +05:30 [kern_secd:info:8459] Failure Summary:
00000018.000079a7 00fcae75 Mon Apr 29 2019 11:09:01 +05:30 [kern_secd:info:8459] Error: User authentication procedure failed
00000018.000079a8 00fcae75 Mon Apr 29 2019 11:09:01 +05:30 [kern_secd:info:8459] CIFS SMB2 Share mapping - Client Ip = 10.216.yy.xx
00000018.000079a9 00fcae75 Mon Apr 29 2019 11:09:01 +05:30 [kern_secd:info:8459] [ 5 ms] Error accepting security context for Vserver identifier (3). Cluster and Domain Controller times differ by more than the configured clock skew (KRB5KRB_AP_ERR_SKEW).
00000018.000079aa 00fcae75 Mon Apr 29 2019 11:09:01 +05:30 [kern_secd:info:8459] **[ 7] FAILURE: CIFS authentication failed
- SVM 与 DC 有活动连接。
cluster::*> vserver cifs domain discovered-servers show -vserver svm
Node: cdot-01
Vserver: svm
Domain Name Type Preference DC-Name DC-Address Status
--------------- -------- ---------- --------------- --------------- ---------
naslab.local KERBEROS adequate WIN-OBK6KRHGRH5 xx.yy.zz.30 undetermined
naslab.local KERBEROS adequate WIN-RH1QTMQCSIK xx.yy.zz.42 undetermined
naslab.local KERBEROS preferred win-aesid9bf636 xx.yy.zz.191 undetermined
naslab.local KERBEROS preferred win-k8f679t5rhm xx.yy.zz.190 undetermined
naslab.local MS-LDAP preferred win-aesid9bf636 xx.yy.zz.191 OK
naslab.local MS-LDAP preferred win-k8f679t5rhm xx.yy.zz.190 OK
naslab.local MS-LDAP adequate win-obk6krhgrh5 xx.yy.zz.30 undetermined
naslab.local MS-LDAP adequate win-rh1qtmqcsik xx.yy.zz.42 undetermined
naslab.local MS-DC adequate WIN-OBK6KRHGRH5 xx.yy.zz.30 undetermined
naslab.local MS-DC preferred win-aesid9bf636 xx.yy.zz.191 undetermined
naslab.local MS-DC preferred win-k8f679t5rhm xx.yy.zz.190 OK
naslab.local MS-DC adequate win-rh1qtmqcsik xx.yy.zz.42 undetermined
12 entries were displayed.
当我们在 SVM 和 DC 上检查日期和时间时、不会出现偏差并且它们是同步的。
此外,任何用户都不会报告任何影响。