Well... as per Red Hat best practice on RHEL7 we use Chrony which also have the 
ability to sync software time to hardware.

Or at least. should.....

We have discovered that Hyper-V is a s bad as always and that its almost 
impossible to have a sync'ed hardware and software time, and that some servers 
(still not on IPA) have a time diff of several hours.

It seems to depend on load. Higher load means higher time-diff.

So the next question is:
I cannot find any documentation on Kerberos and software vs hardware time and 
if its possible to force Kerberos to use software time as this seems to be the 
only way to get a correct time on Hyper-V?


----- On Sep 6, 2017, at 12:29 PM, Tony Brian Albers via FreeIPA-users 
freeipa-users@lists.fedorahosted.org wrote:

> If you have VM's in the mix, and use ntp,  use    tinker panic 0  in
> their ntp.conf files.
> 
> /tony
> 
> On 09/06/2017 11:41 AM, Troels Hansen via FreeIPA-users wrote:
>> Hmm......
>> 
>> Found the error.....   It appear its the hardwaretime that's used for
>> kerberos and as the hardware apparently is ~ 6 minutes off....... well....
>> 
>> 
>> ----- On Sep 6, 2017, at 9:50 AM, Troels Hansen via FreeIPA-users
>> <freeipa-users@lists.fedorahosted.org> wrote:
>> 
>>     Hi
>> 
>>     We have set up IPA with AD trust on RHEL and this Works fine.
>> 
>>     Running IPA 4.5
>> 
>>     However, sometimes we are unable to mount home (with autofs).
>> 
>>     I have fount that the KDC claims "Clock skew too great" however, I
>>     cannot see any problems.
>> 
>>     kinit works fine and I have a kerberos TGT:
>> 
>>       klist
>>     Ticket cache: KEYRING:persistent:0:0
>>     Default principal: USER@REALM
>> 
>>     Valid starting       Expires              Service principal
>>     09/06/2017 09:40:00  09/06/2017 19:40:00  krbtgt/REALM@REALM
>>              renew until 09/07/2017 09:39:54
>> 
>> 
>> 
>>     To test. Manually mounting fails:
>> 
>>     mount.nfs4 -v -s -o rw,nodev,nosuid,hard,sec=krb5p
>>     profil01.domain:/var/nfs/profil/user/mnt/
>>     mount.nfs4: timeout set for Wed Sep  6 09:42:29 2017
>>     mount.nfs4: trying text-based options
>>     'hard,sec=krb5p,sloppy,addr=10.101.173.91,clientaddr=10.101.11.195'
>>     mount.nfs4: mount(2): Permission denied
>>     mount.nfs4: access denied by server while mounting
>>     profil01.domain:/var/nfs/profil/user
>> 
>> 
>>     krb5kdc.log in IPA shows:
>> 
>>     Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): TGS_REQ (6 etypes
>>     {18 17 16 23 25 26}) 10.101.11.195: PROCESS_TGS: authtime 0,
>>     host/oas08d.domain@REALM for nfs/profil01.domain@REALM, Clock skew
>>     too great
>>     Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): closing down fd 11
>>     Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): TGS_REQ (4 etypes
>>     {18 17 16 23}) 10.101.11.195: PROCESS_TGS: authtime 0,
>>     host/oas08d.domain@REALM for nfs/profil01.domain@REALM, Clock skew
>>     too great
>>     Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): closing down fd 11
>> 
>> 
>>     However, the time between ipa, client and nfs server is within 1
>>     second (and same timezone).
>> 
>> 
>>     I'm unsure on how to debug further as everything seems fine so any
>>     help would be appreciated.
>> 
>> 
>>     _______________________________________________
>>     FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>     To unsubscribe send an email to
>>     freeipa-users-le...@lists.fedorahosted.org
>> 
>> 
>> --
>> 
>> Med venlig hilsen
>> 
>> *Troels Hansen*
>> 
>> Senior Linux Engineer
>> 
>> Casalogic A/S
>> 
>> T  (+45) 70 20 10 63
>> 
>> M (+45) 22 43 71 57
>> 
>> <http://www.casalogic.dk/signatur/th.vcf>
>> <http://www.linkedin.com/company/67524> <http://twitter.com/casalogic>
>> Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB,
>> Sophos og meget mere.
>> 
>> 
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>> 
> 
> 
> --
> Tony Albers
> Systems administrator, IT-development
> Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
> Tel: +45 2566 2383 / +45 8946 2316
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

-- 
Med venlig hilsen 

Troels Hansen 

Senior Linux Engineer 


Casalogic A/S 


T (+45) 70 20 10 63 

M (+45) 22 43 71 57 

Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og 
meget mere.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to