-
Title
Time skew error mis-reported as FAST error -
Description
When a client's clock is significantly out of sync with Active Directory, usually beyond the default 5-minute Kerberos threshold, authentication attempts may fail with a misleading FAST error rather than a standard clock skew notification.
-
Cause
When running a host authentication check (e.g., sudo /opt/quest/bin/vastool -u host/ auth), the following error is observed:
ERROR: VAS_ERR_KRB5: Kerberos error KRB5_KDCREP_MODIFIED (-1765328237): FAST fast response is missing FX-FAST
However, if debug is enabled (sudo /opt/quest/bin/vastool -d5 -u host/ auth), it reveals the true Kerberos error regarding time skew:
[debug] (193916) _send_and_recv_srvinfo: KDC <dc.example.com> returned error <KRB5KRB_AP_ERR_SKEW>
-
Resolution
The issue has been identified as defect 702042, it's currently scheduled to be fixed in version 7.1 of Safeguard Authentication Services.
-
Change Request
702042