AD DC and NAS clock skew failures
|Reported by:||gcooper||Owned by:|
Kerberos is a very time sensitive protocol. Both the NAS box and the AD DC need to be talking within several minutes or seconds in order to exchange KRB tickets. I've noticed that some people have a hard time getting AD up and going, and this is one of the issues that tends to crop up frequently.
What needs to be done is a few things:
- A recommendation in the documentation needs to be added s.t. people understand that both servers should be roughly set to the same time. This includes the following recommendations: a) they should be talking to the same NTP server, b) they need to have the same timezone set, c) they both have to be set either localtime or universal time at the BIOS level.
- AD needs to be forcefully disabled in the GUI if ix-kinit fails; this will prevent scenarios where the user is effectively locked out of the system because it can't authenticate to AD.
- The user needs to be notified in the event that ix-kinit fails.