[Freeipa-users] Kerberos Clock Skew too great
Rakesh Rajasekharan
rakesh.rajasekharan at gmail.com
Thu Jan 26 17:24:22 UTC 2017
I was seeing a lot of entries in the krb5kdc.log like below
"krb5kdc[10403](info): TGS_REQ (4 etypes {18 17 16 23}) 10.1.4.219: ISSUE:
authtime 1485450918, etypes {rep=18 tkt=18 ses=18}, host/my-host at MYDOMAIN"
On one env.. where users rarely log in... even there I see a lot of such
requests.
Finally , I think I was able to track this down.. there are few local
accounts ( non freeipa ) on my hosts . These are used to run some custom
scripts through cron and run frequently ( every few mins ).
So, I feel whenever thers a request for "su - <localuser>" or a sudo to
the local user, that would also end up calling the Kerbros service.. and
since it runs so frequently on all the hosts.. they would be choking the
IPA master / replica with so many requests..
Please correct me If I am wrong in the above assumption.
Going by the above logic.. I have added filter_users section with these
users in the sssd.conf . Hopefully I would see a drop in the number of
requests
On Mon, Jan 23, 2017 at 11:27 PM, Robbie Harwood <rharwood at redhat.com>
wrote:
> Rakesh Rajasekharan <rakesh.rajasekharan at gmail.com> writes:
>
> > one more question I was curious is.. when does the krb5kdc.log get
> entries
> > . .. I mean is it only when someone makes an attempt to login to a server
> > that the log file krb5kdc.log on the IPA master gets updated or there
> are
> > other scenarios as well
>
> It's controlled by /etc/kdc.conf ; take a look at the "[logging]" section
> in
> `man 5 kdc.conf` for more information.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170126/5c2f97b9/attachment.htm>
More information about the Freeipa-users
mailing list