[Freeipa-users] Kerberos Clock Skew too great
Robbie Harwood
rharwood at redhat.com
Mon Jan 9 19:18:58 UTC 2017
Rakesh Rajasekharan <rakesh.rajasekharan at gmail.com> writes:
> There were about 1500 hosts that were alerting for "clock skew" and the
> issue went away only after I did a resync using ntpdate on all those hosts
Great, glad it's fixed! Are these VMs? If not, you may wish to
(re?)configure automatic syncing.
> Is it possible that so many higher number of minor offsets adds up and
> causes it. Coz from the individual offset it looks much below the 5min limit
Not as such, if I understand you correctly? This should only be a
problem between any two machines that need to communicate (including the
freeipa KDC).
> Or, is there a way to tell whats the offset limit its actually looking for.
5 minutes almost certainly. The parameter to configure it is
"clockskew" in the config files, but I don't think IPA touches that.
Hope that helps,
--Robbie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170109/50109bf7/attachment.sig>
More information about the Freeipa-users
mailing list