[Freeipa-users] Kerberos Clock Skew too great
Rakesh Rajasekharan
rakesh.rajasekharan at gmail.com
Wed Jan 18 15:07:20 UTC 2017
Hi There,
Sorry could not get back on this earlier,
> Great, glad it's fixed! Are these VMs? If not, you may wish to
> (re?)configure automatic syncing.
yes these are AWS instances. How do I reconfigure auto syncing . Is there
a documentation I can follow.
Sorry, haven't done this before and not much info on that part
Apart from this , I also have a correlation between the "Clock skew" issue
and an earlier issue that I posted in another thread.
Basically , noticed that whenver I see clock skew errors, I see a lot of
connections in SYNC_RECV state.
this is the list of SYNC_RECV connections
tcp 0 0 10.0.8.45:88 10.0.30.49:42695 SYN_RECV
tcp 0 0 10.0.8.45:88 10.0.15.72:44991 SYN_RECV
tcp 0 0 10.0.8.45:88 10.0.2.82:53265 SYN_RECV
tcp 0 0 10.0.8.45:88 10.0.31.253:57682 SYN_RECV
tcp 0 0 10.0.8.45:88 10.0.34.208:53488 SYN_RECV
tcp 0 0 10.0.8.45:88 10.0.27.17:47245 SYN_RECV
tcp 0 0 10.0.8.45:88 10.0.17.53:54504 SYN_RECV
tcp 0 0 10.0.8.45:88 10.0.24.78:47796 SYN_RECV
tcp 0 0 10.0.8.45:88 10.0.4.246:33607 SYN_RECV
tcp 0 0 10.0.8.45:88 10.0.27.91:34190 SYN_RECV
tcp 0 0 10.0.8.45:88 10.0.27.248:38012 SYN_RECV
tcp 0 0 10.0.8.45:88 10.0.15.139:51319 SYN_RECV
tcp 0 0 10.0.8.45:88 10.0.15.175:41188 SYN_RECV
Thanks,
Rakesh
On Tue, Jan 10, 2017 at 12:48 AM, Robbie Harwood <rharwood at redhat.com>
wrote:
> Rakesh Rajasekharan <rakesh.rajasekharan at gmail.com> writes:
>
> > There were about 1500 hosts that were alerting for "clock skew" and the
> > issue went away only after I did a resync using ntpdate on all those
> hosts
>
> Great, glad it's fixed! Are these VMs? If not, you may wish to
> (re?)configure automatic syncing.
>
> > Is it possible that so many higher number of minor offsets adds up and
> > causes it. Coz from the individual offset it looks much below the 5min
> limit
>
> Not as such, if I understand you correctly? This should only be a
> problem between any two machines that need to communicate (including the
> freeipa KDC).
>
> > Or, is there a way to tell whats the offset limit its actually looking
> for.
>
> 5 minutes almost certainly. The parameter to configure it is
> "clockskew" in the config files, but I don't think IPA touches that.
>
> Hope that helps,
> --Robbie
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170118/754fecfb/attachment.htm>
More information about the Freeipa-users
mailing list