That is great. However you may wish to qualify what "significant" is.
In the case of the original clock-skew problems (between the IPA LDAP
Server and sssd clients on other servers), a skew in the order of 5 minutes
was enough to prevent us sshing into our servers with an ldap user.
You might also want to repeat the hint that if the FreeIPA Server is
running in a VM, it must NEVER be a NTPD server for other servers, as VMs
are notorious for bad time keeping.
From: Martin Kosek <mko...@redhat.com>
To: Christopher Lamb/Switzerland/IBM@IBMCH,
Date: 28.04.2015 14:13
Subject: Re: [Freeipa-users] Fw: Web ui error “Your session has
expired. Please re-login.” from a browser on a remote client.
On 04/27/2015 06:09 PM, Christopher Lamb wrote:
> Hi All
> I may have found a possible cause of our instance of the "Your session
> expired" Web UI error on our new FreeIPA 4.1.0 Server
> By chance I checked the date on the server hosting FreeIPA 4.1.0. To my
> surprise, despite running ntpd it was 2 hours in the future!
> Some moons ago we suffering from clock-skew problems, and had spent a lot
> of time understanding ntp, and setting up an optimal ntp
> architecture /config. We were able to completely eliminate clock-skew
> across all our servers.
> Digging into the /etc/ntp.conf file I saw that FreeIPA had replaced our 4
> NTPD servers with 4 RedHat NTPD servers.
> Therefore I returned the /etc/ntp.conf file to our default, restarted
> and time was correct again.
> Subsequent to this (at least at various points today) I have been able to
> successfully log into the Web UI from Firefox and Safari on OSX, and
> Firefox on Windows. On both platforms Chrome (not supported) does not
> I confess I have not had the time to return to the FreeIPA ntp config to
> see if the 2 hour offset + Web UI session problem can be reproduced, so
> the moment this remains a credible, but not proven hypothesis.
> However I guess that 2 hour offset probably comes from the 2 hour
> difference between UTC and European Summertime.
> I think it would be great if the changes made by FreeIPA setup to
> were optional - we care strongly about the content of that file!
Good to know. I updated the Troubleshooting page with this tip:
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project