On Mon, Jan 09, 2017 at 02:07:21PM +0530, Rakesh Rajasekharan wrote: > yes on the IPA server as well.. the offset isn't that high > > remote refid st t when poll reach delay offset > jitter > ============================================================================== > *ip-10-10-1-150.e 132.163.4.101 2 u 119 128 377 0.431 -0.279 > 0.348 > > So, my NTP server, the ipa client and the IPA master.. all seems to not > have a high offset or a jitter. > > There were about 1500 hosts that were alerting for "clock skew" and the > issue went away only after I did a resync using ntpdate on all those hosts > > Is it possible that so many higher number of minor offsets adds up and > causes it. Coz from the individual offset it looks much below the 5min limit > > Or, is there a way to tell whats the offset limit its actually looking for.
Sorry, I'm a bit out of my depth here, the only other suggestion I have is to try kinit with KRB5_TRACE=/dev/stderr when that happens, which should at least dump which KDC is the client talking to (if you have multiple masters..) > > Thanks, > Rakesh > > > > On Mon, Jan 9, 2017 at 1:42 PM, Jakub Hrozek <jhro...@redhat.com> wrote: > > > On Mon, Jan 09, 2017 at 01:07:06PM +0530, Rakesh Rajasekharan wrote: > > > Hi, > > > > > > I am using a Freeipa 4.2.0 server. > > > > > > I sometimes see, "clock skew too great" errors in /var/log/krb5kdc.log. > > And > > > when this happens, usually logins or new ipa-cleint-install fails. > > > > > > When I checked on one of the hosts for which the clock skew was reported, > > > > > > #> ntpq -p > > > remote refid st t when poll reach delay offset > > > jitter > > > ============================================================ > > ================== > > > *ip-10-10-1-150.e 171.66.97.126 2 u 869 1024 377 0.448 0.047 > > > 0.142 > > > > In general, 5 minutes is OK at least. But are you sure the server is also > > in sync or just the client against an NTP server (iow, are you sure you > > are checking the difference between a client and the KDC as well?) > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
