Re: [Freeipa-users] Kerberos Clock Skew too great

Wed, 18 Jan 2017 07:13:17 -0800 

Hi There,

Sorry could not get back on this  earlier,

> Great, glad it's fixed!  Are these VMs?  If not, you may wish to
> (re?)configure automatic syncing.
 yes these are AWS instances. How do  I reconfigure auto syncing . Is there
a documentation I can follow.
Sorry, haven't done this before and not much info on that part


Apart from this , I also have a correlation between the "Clock skew" issue
and an earlier issue that I posted in another thread.
Basically , noticed that whenver I see clock skew errors, I see a lot of
connections in SYNC_RECV state.

this is the list of SYNC_RECV connections

tcp        0      0 10.0.8.45:88           10.0.30.49:42695        SYN_RECV
tcp        0      0 10.0.8.45:88           10.0.15.72:44991        SYN_RECV
tcp        0      0 10.0.8.45:88           10.0.2.82:53265         SYN_RECV
tcp        0      0 10.0.8.45:88           10.0.31.253:57682       SYN_RECV
tcp        0      0 10.0.8.45:88           10.0.34.208:53488       SYN_RECV
tcp        0      0 10.0.8.45:88           10.0.27.17:47245        SYN_RECV
tcp        0      0 10.0.8.45:88           10.0.17.53:54504        SYN_RECV
tcp        0      0 10.0.8.45:88           10.0.24.78:47796        SYN_RECV
tcp        0      0 10.0.8.45:88           10.0.4.246:33607        SYN_RECV
tcp        0      0 10.0.8.45:88           10.0.27.91:34190        SYN_RECV
tcp        0      0 10.0.8.45:88           10.0.27.248:38012       SYN_RECV
tcp        0      0 10.0.8.45:88           10.0.15.139:51319       SYN_RECV
tcp        0      0 10.0.8.45:88           10.0.15.175:41188       SYN_RECV


Thanks,
Rakesh



On Tue, Jan 10, 2017 at 12:48 AM, Robbie Harwood <rharw...@redhat.com>
wrote:

> Rakesh Rajasekharan <rakesh.rajasekha...@gmail.com> writes:
>
> > There were about 1500 hosts that were alerting for "clock skew" and the
> > issue went away only after I did a resync using ntpdate on all those
> hosts
>
> Great, glad it's fixed!  Are these VMs?  If not, you may wish to
> (re?)configure automatic syncing.
>
> > Is it possible that so many higher number of minor offsets adds up and
> > causes it. Coz from the individual offset it looks much below the 5min
> limit
>
> Not as such, if I understand you correctly?  This should only be a
> problem between any two machines that need to communicate (including the
> freeipa KDC).
>
> > Or, is there a way to tell whats the offset limit its actually looking
> for.
>
> 5 minutes almost certainly.  The parameter to configure it is
> "clockskew" in the config files, but I don't think IPA touches that.
>
> Hope that helps,
> --Robbie
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to