From owner-freebsd-stable@FreeBSD.ORG Fri Nov 12 10:48:33 2010 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E6C19106566B for ; Fri, 12 Nov 2010 10:48:33 +0000 (UTC) (envelope-from emz@norma.perm.ru) Received: from elf.hq.norma.perm.ru (mail.norman-vivat.ru [89.250.210.68]) by mx1.freebsd.org (Postfix) with ESMTP id 3AC5B8FC1C for ; Fri, 12 Nov 2010 10:48:32 +0000 (UTC) Received: from bsdrookie.norma.com. (bsdrookie.hq.norma.perm.ru [192.168.7.246]) by elf.hq.norma.perm.ru (8.14.3/8.14.3) with ESMTP id oACAGugH026668 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Fri, 12 Nov 2010 15:17:04 +0500 (YEKT) (envelope-from emz@norma.perm.ru) Message-ID: <4CDD1418.8020107@norma.perm.ru> Date: Fri, 12 Nov 2010 15:16:56 +0500 From: "Eugene M. Zheganin" User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.9.2.8) Gecko/20100917 Thunderbird/3.1.2 MIME-Version: 1.0 To: freebsd-stable@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.3 (elf.hq.norma.perm.ru [192.168.3.10]); Fri, 12 Nov 2010 15:17:04 +0500 (YEKT) X-Callback: Sender verified by milter-callback 1.5.10 at elf.hq.norma.perm.ru. X-Callback-Status: relay [192.168.7.246] found in white list. X-Callback-Envelope-From: emz@norma.perm.ru X-Spam-Status: No hits=-102.9 bayes=0.0000 testhits ALL_TRUSTED=-1, BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01, USER_IN_WHITELIST=-100 autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on elf.hq.norma.perm.ru Subject: krb5 and clock skew X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Nov 2010 10:48:34 -0000 Hi. Panic on em(4) in vlan environment (after upgrade from 7.2-RELEASE to 8.1-RELEASE) forced me to use 8.1-STABLE (built 2 days ago) on one of my productions. Almost all is fine now except of two things, which I decided to split in two letters. This one is about my kerberos setup. I have a windows 2008 server which acts as AD domain controller, thus implying KDC. I have a bunch of various FreeBSD 7.x/8.0 around, and I have this particular FreeBSD 8.1-STABLE, lets name it 'A'. 'A' is a primary ntp server, which is a preferred and only peer for many of others FreeBSD servers around. 'A' is synced to some WAN hosts of 1st stratum. All of 'others' FreeBSD are synced to 'A'. KDC is also synced to 'A'. 'A' and 'others' FreeBSD have Kerberos V deployed, with identical configs that point to KDC (win 2008). All of the machines have user 'emz', which for FreeBSDs is local user and for KDC is domain user. The problem is, that 'others' FreeBSD can request tickets for emz with kinit, but when I'm issuing 'kinit' command on 'A' I'm always getting 'Clock skew too great'. As I said, the time is synced between KDC and 'A'. I've looked into win 2008 event logs, it says 'reason 0x25', which means 'Clock skew too great', I've looked into tcpdump just to see that packets coming from KDC contain the same error. I've installed heimdal 1.4 from ports, used it's /usr/local/bin/kinit but situation was the same. However this setup was working on this server for years, even on 8.1 (during the moments between panics :)) and it was broken after the upgrade to 8.1-STABLE. How can I solve this ? Thanks. Eugene.