secd.kerberos events
secd.kerberos.clockskew
- Severity
-
ERROR
- Description
-
This message occurs when there is a "time error"(clock skew, time skew, time out of bounds). This error indicates that there is a time discrepancy between client and node or client and Key Distribution Center (KDC). The Kerberos authentication request from the client or the node was forwarded to the KDC and it failed because the timestamp encrypted in the Kerberos ticket was different by more than the maximum time difference that is configured on the KDC.
- Corrective Action
-
Ensure that the clock time of the node is identical to that of the client and to that of the KDC. To keep the node and KDC time clocks in synchronization automatically, configure Network Time Protocol (NTP) services on the node. Increasing the clock skew interval may also alleviate this condition: To do so, modify the Kerberos-realm configuration clock-skew parameter (denoted as "Maximum tolerance for computer clock synchronization" in Windows® Active Directory) from the default 300 seconds to 600 seconds or more. Note: Increasing the clock-skew interval makes the client protocols less secure against network replay attacks.
- Syslog Message
-
Kerberos client or node clock skew error for vserver (%s)%s
- Parameters
-
vserverName (STRING): Name of the vserver that is having the error.
clientInfo (STRING): Information of the client that is having the error if available.
secd.kerberos.lookupFailed
- Severity
-
ERROR
- Description
-
This message occurs when the Kerberos user is not a part of any name-service. ONTAP maps the Kerberos Service Principal Name(SPN) to a NFS user name while establishing a security context. If the NFS user name is not found in any of the name-services (LDAP, NIS, file), it leads to a failure in establishing security context, which in turn fails the Kerberos mount.
- Corrective Action
-
Ensure that there is a corresponding UNIX user name for the Kerberos Service Principal Name(SPN) in name services such as NIS, LDAP, or file.
- Syslog Message
-
Unable to map Kerberos user (%s) to appropriate UNIX user on Vserver (%s).
- Parameters
-
uname (STRING): Kerberos NFS user.
vserverName (STRING): Name of the Vserver.
secd.kerberos.noAuthdata
- Severity
-
ERROR
- Description
-
This message occurs when a Kerberos ticket for a user does not contain authorization data.
- Corrective Action
-
Ask the user to obtain a new, valid Kerberos ticket and map the share again.
- Syslog Message
-
Kerberos client has no authorization data for Vserver "%s" with user account "%s".
- Parameters
-
vserverName (STRING): Name of the Vserver on which the error occurred.
userAccount (STRING): User account for which there is insufficient credential information.
secd.kerberos.preauth
- Severity
-
ERROR
- Description
-
This message occurs when the machine account password is out of sync with the one set in the Active Directory.
- Corrective Action
-
Run "vserver cifs password-reset -vserver vserver_name" command to update the password in the Active Directory.
- Syslog Message
-
Kerberos pre-authentication failure due to out-of-sync machine account password for vserver (%s).
- Parameters
-
vserverName (STRING): Name of the vserver that is having the error.
secd.kerberos.tktexpired
- Severity
-
ERROR
- Description
-
This message occurs when the client's ticket has expired. This error indicates that the timestamp encrypted in the client's Kerberos ticket has exceeded it's maximum lifetime or expired.
- Corrective Action
-
Ensure that the clock time of the node is identical to that of the client and to that of the KDC. To keep the node and KDC time clocks in synchronization automatically, configure Network Time Protocol (NTP) services on the node. Increasing the clock skew interval may also alleviate this condition: To do so, modify the Kerberos-realm configuration clock-skew parameter (denoted as "Maximum tolerance for computer clock synchronization" in Windows® Active Directory) from the default 300 seconds to 600 seconds or more. Note: Increasing the clock-skew interval makes the client protocols less secure against network replay attacks.
- Syslog Message
-
Kerberos client ticket has expired for vserver (%s)%s
- Parameters
-
vserverName (STRING): Name of the vserver that is having the error.
clientInfo (STRING): Information of the client that is having the error if available.
secd.kerberos.tktnyv
- Severity
-
ERROR
- Description
-
This message occurs when the client presented a ticket to the server that is not yet valid (in relationship to the server time). This error indicates that the clocks on the KDC and the client are not synchronized.
- Corrective Action
-
Ensure that the clock time of the node is identical to that of the client and to that of the KDC. To keep the node and KDC time clocks in synchronization automatically, configure Network Time Protocol (NTP) services on the node. Increasing the clock skew interval may also alleviate this condition: To do so, modify the Kerberos-realm configuration clock-skew parameter (denoted as "Maximum tolerance for computer clock synchronization" in Windows® Active Directory) from the default 300 seconds to 600 seconds or more. Note: Increasing the clock-skew interval makes the client protocols less secure against network replay attacks.
- Syslog Message
-
Kerberos client ticket not yet valid for vserver (%s)%s
- Parameters
-
vserverName (STRING): Name of the vserver that is having the error.
clientInfo (STRING): Information of the client that is having the error if available.