[Freeipa-users] Kerberos Clock Skew too great

Rakesh Rajasekharan rakesh.rajasekharan at gmail.com
Mon Jan 9 08:37:21 UTC 2017 

yes on the IPA server as well.. the offset isn't that high

     remote           refid      st t when poll reach   delay   offset
jitter
==============================================================================
*ip-10-10-1-150.e 132.163.4.101    2 u  119  128  377    0.431   -0.279
0.348

So, my NTP server, the ipa client and the IPA master.. all seems to not
have a high offset or a jitter.

There were about 1500 hosts that were alerting for "clock skew" and the
issue went away only after I did a resync using ntpdate on all those hosts

Is it possible that so many higher number of minor offsets adds up and
causes it. Coz from the individual offset it looks much below the 5min limit

Or, is there a way to tell whats the offset limit its actually looking for.

Thanks,
Rakesh



On Mon, Jan 9, 2017 at 1:42 PM, Jakub Hrozek <jhrozek at redhat.com> wrote:

> On Mon, Jan 09, 2017 at 01:07:06PM +0530, Rakesh Rajasekharan wrote:
> > Hi,
> >
> > I am using a Freeipa 4.2.0 server.
> >
> > I sometimes see, "clock skew too great" errors in /var/log/krb5kdc.log.
> And
> > when this happens, usually logins or new ipa-cleint-install fails.
> >
> > When I checked on one of the hosts for which the clock skew was reported,
> >
> > #> ntpq -p
> >     remote           refid      st t when poll reach   delay   offset
> > jitter
> > ============================================================
> ==================
> > *ip-10-10-1-150.e 171.66.97.126    2 u  869 1024  377    0.448    0.047
> > 0.142
>
> In general, 5 minutes is OK at least. But are you sure the server is also
> in sync or just the client against an NTP server (iow, are you sure you
> are checking the difference between a client and the KDC as well?)
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170109/45be7955/attachment.htm>

More information about the Freeipa-users mailing list