在SVM和DC之间观察到错误的时间偏差错误"集群和域控制器时间相差超过配置的时钟偏差(KRB5KRB_AP_ERR_SKE")"

适用场景

• ONTAP 9.3至ONTAP 9.8
• SMB 2
• SMB 3

问题描述

• EMS日志显示SVM和DC之间存在时间偏差：

cluster::*> event log show -event secd*
 Node             Severity      Event
 ---------------- ------------- ---------------------------
 cluster-01   ERROR         secd.cifsAuth.problem: vserver (svm) General CIFS authentication problem. Error: User authentication procedure failed
CIFS SMB2 Share mapping - Client Ip = 10.216.yy.xx
  [  5 ms] Error accepting security context for Vserver identifier (3). Cluster and Domain Controller times differ by more than the configured clock skew (KRB5KRB_AP_ERR_SKEW).
**[     7] FAILURE: CIFS authentication failed

1/3/2024 08:21:30 Netappnas001-02 ERROR secd.kerberos.tktnyv: Kerberos client ticket not yet valid for vserver (svmcifs) client IP (10.101.81.16).

• SECD日志显示：

[kern_secd:info:8459] .------------------------------------------------------------------------------.
[kern_secd:info:8459] |                                 RPC FAILURE:                                 |
[kern_secd:info:8459] |                      secd_rpc_auth_extended has failed                       |
[kern_secd:info:8459] |                          Result = 0, RPC Result = 4                          |
[kern_secd:info:8459] |                   RPC received at Mon Apr 29 11:09:01 2019                   |
[kern_secd:info:8459] |------------------------------------------------------------------------------'
[kern_secd:info:8459] Failure Summary:
[kern_secd:info:8459] Error: User authentication procedure failed
[kern_secd:info:8459] CIFS SMB2 Share mapping - Client Ip = 10.216.yy.xx
[kern_secd:info:8459]   [  5 ms] Error accepting security context for Vserver identifier (3). Cluster and Domain Controller times differ by more than the configured clock skew (KRB5KRB_AP_ERR_SKEW).
[kern_secd:info:8459] **[     7] FAILURE: CIFS authentication failed

• SVM 与DC具有活动连接。

cluster::*> vserver  cifs domain  discovered-servers  show -vserver  svm
Node: cdot-01
Vserver: svm
Domain Name     Type     Preference DC-Name         DC-Address      Status
--------------- -------- ---------- --------------- --------------- ---------
naslab.local    KERBEROS adequate   WIN-OBK6KRHGRH5 xx.yy.zz.30    undetermined
naslab.local    KERBEROS adequate   WIN-RH1QTMQCSIK xx.yy.zz.42    undetermined
naslab.local    KERBEROS preferred  win-aesid9bf636 xx.yy.zz.191   undetermined
naslab.local    KERBEROS preferred  win-k8f679t5rhm xx.yy.zz.190   undetermined
naslab.local    MS-LDAP  preferred  win-aesid9bf636 xx.yy.zz.191   OK
naslab.local    MS-LDAP  preferred  win-k8f679t5rhm xx.yy.zz.190   OK
naslab.local    MS-LDAP  adequate   win-obk6krhgrh5 xx.yy.zz.30    undetermined
naslab.local    MS-LDAP  adequate   win-rh1qtmqcsik xx.yy.zz.42    undetermined
naslab.local    MS-DC    adequate   WIN-OBK6KRHGRH5 xx.yy.zz.30    undetermined
naslab.local    MS-DC    preferred  win-aesid9bf636 xx.yy.zz.191   undetermined
naslab.local    MS-DC    preferred  win-k8f679t5rhm xx.yy.zz.190   OK
naslab.local    MS-DC    adequate   win-rh1qtmqcsik xx.yy.zz.42    undetermined
12 entries were displayed.

• 当我们检查 SVM和DC上的日期和时间时、不会出现偏差、并且它们是同步的。 
• 用户未报告任何影响。