Apr 21 16:28:45 adclient[23651]: DEBUG <fd:16 PAMVerifyPassword> daemon.ipcclient validate password caught exception: KDC refused skey: Clock skew too great
Apr 21 16:28:45 adclient[23651]: WARN <fd:16 PAMVerifyPassword> audit User 'mxp883' not authenticated: KDC refused skey: Clock skew too great
Putty SSO will always work fine as they already have a Kerberos ticket however interactive logon will fail if the user (in question) had never logged into the box before or if adflush was previously run manually.
Note: You can simulate a disconnect by changing the parameter
adclient.server.try.max to 0.
However the main issue for interactive login to fail is the clock sync. This is really governed by a couple of parameters:
a) adclient.sntp.enabled and
b) adclient.sntp.poll.
The first one is set to true by default which means adclient will make sure (in the event of a drift), we will try to sync up. In some customer environments, they will use ntp client as well and so there will be a racing condition and one of them will win which will ensure we are in sync.
Resolution:
We recommend customers to either use ntp completely (which means uncomment & make the parameter adclient.sntp.enabled as false and doing adreload) or use our solution (leave it as default) and disable your ntp.
The 2nd parameter adclient.sntp.poll is for fine tuning only.
If customers continue to see disconnects due to clock sync, they can fine tune this parameter.
When Centrify disconnects on its own due to clock sync issues, we suggest them to run the command ntpupdate and see how much the drift is so that they can get an idea. In a nutshell, no additional parameter is needed for cached credentials to work. It should work out-of-the-box without any tweaking. Please make sure the clock sync drift is not greater than 5 minutes as Kerberos logins are sensitive to time changes.