[Freeipa-users] Kerberos Clock Skew too great
Jakub Hrozek
jhrozek at redhat.com
Mon Jan 9 08:12:41 UTC 2017
On Mon, Jan 09, 2017 at 01:07:06PM +0530, Rakesh Rajasekharan wrote:
> Hi,
>
> I am using a Freeipa 4.2.0 server.
>
> I sometimes see, "clock skew too great" errors in /var/log/krb5kdc.log. And
> when this happens, usually logins or new ipa-cleint-install fails.
>
> When I checked on one of the hosts for which the clock skew was reported,
>
> #> ntpq -p
> remote refid st t when poll reach delay offset
> jitter
> ==============================================================================
> *ip-10-10-1-150.e 171.66.97.126 2 u 869 1024 377 0.448 0.047
> 0.142
In general, 5 minutes is OK at least. But are you sure the server is also
in sync or just the client against an NTP server (iow, are you sure you
are checking the difference between a client and the KDC as well?)
More information about the Freeipa-users
mailing list