# clock skew and kerberos

## gyades

Hi,

So I've got a rather strange problem:  when I try to get a kerberos ticket, I get an error indicating that I have the wrong time:

```

$ kinit -f

Password for gyades@FNAL.GOV:

kinit(v5): Clock skew too great while getting initial credentials

```

The obvious thing to check is that I have the right date and time.  It seems I do.  My laptop has an identical config, and I use the date command on both my laptop and desktop, hitting enter simultaneously: the dates agree to the second.  They also agree on the timezone, so that's not the issue either.  I am also running ntp to ensure that my time is always good.

Unfortunately, when I consult the oracle at google, I only get comments to the effect of "get your time set properly."   A good idea in general, but that doesn't seem to be the problem.  For the record:

```

$ equery l mit-krb5 net-misc/ntp

[ Searching for package 'ntp' in 'net-misc' among: ]

 * installed packages

[I--] [  ] net-misc/ntp-4.2.4_p0 (0)

$ equery l net-misc/ntp

[ Searching for package 'ntp' in 'net-misc' among: ]

 * installed packages

[I--] [  ] net-misc/ntp-4.2.4_p0 (0)

```

Any ideas would be greatly appreciated.

Thx,

Gyades

----------

## batfoot

What are you connecting to? A DC? Your local machine and the Kerberos server that you're trying to get the ticket must be within 5 minutes of each other. Have you also checked the system that you're trying to connect to? You may have the correct time going by NTP, but the KRB server needs to be at the correct time also. 

(Sorry if you've gone through this already).

>Craig

----------

## gyades

Yeah, I'm connecting to a KDC (to try) to get my ticket.  I can't directly verify that the time agrees, b/c I can't actually log into the KDC.  However, the same setup works on my laptop, and, as I mentioned in my original post, the timestamp there is identical.

I've also tried re-emerging mit-krb5, but to no avail.

----------

## Kvetch

I am no expert in this but batfoot is right, it sounds exactly like a sync issue.  It will give you this error if both boxes aren't in sync or outside the allotted 5 minute window (I actually thought it had a 10 minute skew window but it has been awhile since I have used it).  I know you can't login to check but just cause NTP is installed is it actually running?

----------

## gyades

I'll have to get home to give a firm answer, but yes, I'm pretty sure ntp is actually running.   But I'm confused.  If the setup actually works properly on my laptop (and it does) why should I believe that I am really out of sync?

I've also now checked my laptop against another machine at work (which is where the kerberos realm I'm connecting to is).  Aside from the original error message, all the evidence seems to suggest that my time is actually correct.

----------

## Kvetch

Sorry I'm confused, are you talking about another box or just your desktop and the kerberos server?  Are you saying that when your remote desktop tries to get a ticket it kicks back the sync error?  Or when you try to remote login using your laptop?

----------

## gyades

So I have a desktop at home as well as a laptop.  As far as I can tell, they have the same configuration.  They also have the same date and time, including timezone.  The KDC is at work. I find:

kinit on desktop at home :  clock skew error

kinit on laptop: works fine

Also kinit works fine on the machines at work, running Scientific Linux (a Red Hat Enterprise 4 derivative).  The machines at work agree with my laptop as far as the time.  The machines at work also agree with my desktop (no suprise there).

I just got home, and the ntpd daemon is running on my desktop there.

I hope this clears up what the symptoms are.

----------

## batfoot

Might be worth checking your timezones are correct all around.

Also if you want to take a network trace while you are connecting I'll be more than happy to have a look at it for you.

It has to be something that is making the times more than the 5 minutes (300 seconds) apart. Let us know how you get on.

>Craig

----------

## gyades

OK, got distracted for a bit, but here's the result of tcpdump from my (non-working) desktop when I do a kinit:

```

 singularity ~ # tcpdump 'host krb-fnal-1.fnal.gov'

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 68 bytes

22:50:58.337428 IP singularity.32770 > i-krb-10.fnal.gov.kerberos:  v5

22:50:59.716086 IP i-krb-10.fnal.gov.kerberos > singularity.32770:

22:50:59.716105 IP singularity > i-krb-10.fnal.gov: ICMP singularity udp port 32770 unreachable, length 556

22:51:04.556738 IP singularity.32771 > i-krb-10.fnal.gov.kerberos:  v5

22:51:05.856831 IP singularity.32772 > i-krb-10.fnal.gov.kerberos:  v5

22:51:06.859621 IP singularity.32773 > i-krb-10.fnal.gov.kerberos:  v5

22:51:07.091782 IP i-krb-10.fnal.gov.kerberos > singularity.32772:

22:51:07.104718 IP singularity.32773 > i-krb-10.fnal.gov.kerberos:  v5

22:51:08.107684 IP singularity.32774 > i-krb-10.fnal.gov.kerberos:  v5

22:51:09.107698 IP singularity.45775 > i-krb-10.fnal.gov.kerberos: S 907200358:907200358(0) win 5840 <mss 1460,sackOK,timestamp 73390[|tcp]>

22:51:09.159756 IP i-krb-10.fnal.gov.kerberos > singularity.45775: R 0:0(0) ack 907200359 win 0

22:51:10.107690 IP singularity.45776 > i-krb-10.fnal.gov.kerberos: S 906516484:906516484(0) win 5840 <mss 1460,sackOK,timestamp 73640[|tcp]>

22:51:10.162647 IP i-krb-10.fnal.gov.kerberos > singularity.45776: R 0:0(0) ack 906516485 win 0

22:51:13.111688 IP singularity.32773 > i-krb-10.fnal.gov.kerberos:  v5

22:51:14.111842 IP singularity.32774 > i-krb-10.fnal.gov.kerberos:  v5

22:51:15.565486 IP i-krb-10.fnal.gov.kerberos > singularity.32774:

16 packets captured

18 packets received by filter

0 packets dropped by kernel

```

And here is the result from when I do a successful kinit from my laptop:

```

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 68 bytes

22:56:20.664005 IP avalon.32771 > i-krb-10.fnal.gov.kerberos:  v5

22:56:21.325067 IP i-krb-10.fnal.gov.kerberos > avalon.32771:

22:56:28.177305 IP avalon.32772 > i-krb-10.fnal.gov.kerberos:  v5

22:56:28.544057 IP i-krb-10.fnal.gov.kerberos > avalon.32772:  v5

```

Some interesing differences, but I don't (yet) know how to decode them.  Any thoughts?  it almost seems to me as if there is some basic connectivity problem.  But I don't run a firewall on singularity (the desktop), as I run that on the router (LYNKSYS WRTG54G running DD-WRT).  And it seems unlikely that this could give rise to a five minute skew (given that the whole process takes place in less thatn 10 seconds).

I've also checked that the results of hwclock agree between the two system, as well as the clocks as viewed through the bios (should be the same info, as I understand it, but I thought it was worth double-checking).   A while back I tried to explicitly reset the timezone by:

```
cp  /usr/share/zoneinfo/America/Chicago /etc/localtime
```

but this did not help.

the contents of /etc/conf.d/clock are the same (comment lines removed for brevity):

```

CLOCK="UTC"

TIMEZONE="America/Chicago"

CLOCK_OPTS=""

CLOCK_SYSTOHC="yes"

SRM="no"

ARC="no"

```

Thanks!

----------

