[Freeipa-users] Kerberos Clock Skew too great

Jakub Hrozek jhrozek at redhat.com
Mon Jan 9 10:59:37 UTC 2017 

On Mon, Jan 09, 2017 at 02:07:21PM +0530, Rakesh Rajasekharan wrote:
> yes on the IPA server as well.. the offset isn't that high
> 
>      remote           refid      st t when poll reach   delay   offset
> jitter
> ==============================================================================
> *ip-10-10-1-150.e 132.163.4.101    2 u  119  128  377    0.431   -0.279
> 0.348
> 
> So, my NTP server, the ipa client and the IPA master.. all seems to not
> have a high offset or a jitter.
> 
> There were about 1500 hosts that were alerting for "clock skew" and the
> issue went away only after I did a resync using ntpdate on all those hosts
> 
> Is it possible that so many higher number of minor offsets adds up and
> causes it. Coz from the individual offset it looks much below the 5min limit
> 
> Or, is there a way to tell whats the offset limit its actually looking for.

Sorry, I'm a bit out of my depth here, the only other suggestion I have
is to try kinit with KRB5_TRACE=/dev/stderr when that happens, which
should at least dump which KDC is the client talking to (if you have
multiple masters..)

> 
> Thanks,
> Rakesh
> 
> 
> 
> On Mon, Jan 9, 2017 at 1:42 PM, Jakub Hrozek <jhrozek at redhat.com> wrote:
> 
> > On Mon, Jan 09, 2017 at 01:07:06PM +0530, Rakesh Rajasekharan wrote:
> > > Hi,
> > >
> > > I am using a Freeipa 4.2.0 server.
> > >
> > > I sometimes see, "clock skew too great" errors in /var/log/krb5kdc.log.
> > And
> > > when this happens, usually logins or new ipa-cleint-install fails.
> > >
> > > When I checked on one of the hosts for which the clock skew was reported,
> > >
> > > #> ntpq -p
> > >     remote           refid      st t when poll reach   delay   offset
> > > jitter
> > > ============================================================
> > ==================
> > > *ip-10-10-1-150.e 171.66.97.126    2 u  869 1024  377    0.448    0.047
> > > 0.142
> >
> > In general, 5 minutes is OK at least. But are you sure the server is also
> > in sync or just the client against an NTP server (iow, are you sure you
> > are checking the difference between a client and the KDC as well?)
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
> >

More information about the Freeipa-users mailing list