Tamas Papp wrote:


On 11/05/2013 03:58 PM, Rich Megginson wrote:
On 11/05/2013 07:53 AM, Tamas Papp wrote:
On 11/05/2013 03:17 PM, Rich Megginson wrote:
https://fedorahosted.org/389/ticket/47516

This has been fixed upstream and in some releases - to allow
replication to proceed despite excessive clock skew - what is your
389-ds-base version and platform?
What is the clock skewed? The date and time is the same on both
machines.

VMs are notorious for having the clocks get out of sync - even
temporarily.

What do you mean by this?
I definitely see the same time on the machines.
Also I can see in the log, that the replication is resumed. There is no
messages about the broken replication after the resume message.

You see the same time NOW. The logs were reflecting a difference at that time.


freeipa-admintools-3.3.2-1.fc19.x86_64
freeipa-client-3.3.2-1.fc19.x86_64
freeipa-python-3.3.2-1.fc19.x86_64
freeipa-server-3.3.2-1.fc19.x86_64
libipa_hbac-1.11.1-4.fc19.x86_64
libipa_hbac-python-1.11.1-4.fc19.x86_64
sssd-ipa-1.11.1-4.fc19.x86_64
389-ds-base-libs-1.3.1.12-1.fc19.x86_64
389-ds-base-1.3.1.12-1.fc19.x86_64

Linux ipa31.bph.cxn 3.11.6-201.fc19.x86_64 #1 SMP Sat Nov 2 14:09:09 UTC
2013 x86_64 x86_64 x86_64 GNU/Linux
Fedora 19.


How can I fix it?

ldapmodify -x -D "cn=directory manager" -W <<EOF
dn: cn=config
changetype: modify
replace: nsslapd-ignore-time-skew
nsslapd-ignore-time-skew: on
EOF

Do this on all of your servers.

I tried this, but no joy. Still not good:/

What I really  don't understand, why I cannot login to ui (or to an
installed client machine) if the replication doesn't work.
Is it a normal behaviour?

These issues are probably not related, unless perhaps the time skew is also throwing off the Kerberos tickets and/or session cache in the IPA framework.

You didn't say how you were trying to log into the UI. Are you using Kerberos or the form-based authentication?

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to