NTP and correct time *is* important for Kerberos to work properly

When you configure Kerberos KDC you probably know that functional NTP is one of base things ( second in functional and proper DNS side!! ) which must work before even starting to work on Kerberos KDC setup.However it can happen that some of new clients has not correct time,and once you try to check Kerberos connectivity from these machines,if time is not approximate as on KDC then you will see below error messages ( or some of its variations ).

These were generated on Kerberos RHEL server and client

Client side:

# kadmin -p root/admin
Authenticating as principal root/admin with password.
Password for root/admin@DOMAIN:
kadmin: GSS-API (or Kerberos) error while initializing kadmin interface

and on Server side it will generate below errors

May 27 07:14:05 krb1.domain krb5kdc[2461](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 192.168.122.175: ISSUE: authtime 1338095645, etypes {rep=18 tkt=16 ses=16}, root/admin@DOMAIN for kadmin/krb1.domain@DOMAIN

==> kadmind.log <==
May 27 07:14:07 krb1.domain kadmind[2446](Notice): Authentication attempt failed: 192.168.122.175, GSS-API error strings are:
May 27 07:14:07 krb1.domain kadmind[2446](Notice): Unspecified GSS failure. Minor code may provide more information
May 27 07:14:07 krb1.domain kadmind[2446](Notice): Clock skew too great
May 27 07:14:07 krb1.domain kadmind[2446](Notice): GSS-API error strings complete.
May 27 07:14:07 krb1.domain kadmind[2446](Notice): Authentication attempt failed: 192.168.122.175, GSS-API error strings are:
May 27 07:14:07 krb1.domain kadmind[2446](Notice): Unspecified GSS failure. Minor code may provide more information
May 27 07:14:07 krb1.domain kadmind[2446](Notice): Request is a replay
May 27 07:14:07 krb1.domain kadmind[2446](Notice): GSS-API error strings complete.
May 27 07:14:07 krb1.domain kadmind[2446](Notice): Authentication attempt failed: 192.168.122.175, GSS-API error strings are:
May 27 07:14:07 krb1.domain kadmind[2446](Notice): Unspecified GSS failure. Minor code may provide more information
May 27 07:14:07 krb1.domain kadmind[2446](Notice): Request is a replay
May 27 07:14:07 krb1.domain kadmind[2446](Notice): GSS-API error strings complete.
May 27 07:14:07 krb1.domain kadmind[2446](Notice): Authentication attempt failed: 192.168.122.175, GSS-API error strings are:
May 27 07:14:07 krb1.domain kadmind[2446](Notice): Unspecified GSS failure. Minor code may provide more information
May 27 07:14:07 krb1.domain kadmind[2446](Notice): Wrong principal in request
May 27 07:14:07 krb1.domain kadmind[2446](Notice): GSS-API error strings complete.

Advertisements

#kerberos