As I said they probably have a different setting for the allowed clock skew so I would check the time on the kerberos server Note in MIT kerberos in the krb5.conf file this can be set via the 'clockskew' option in the "libdefaults"section. It is specified in seconds and usually defaults to 300 seconds check out the krb5.conf man page for details there is also an option to allow the client to compensate for it and detect the actual skew but I don't recommend tinkering with it because it can cause issues. Also note that if you kerberos server is an AD server windows clients usually use their AD server as their default NTP source otherwise they go to Microsoft's pool of NTP servers.
On Oct 19, 2017 10:09 AM, "Pat Riehecky" <riehe...@fnal.gov> wrote: > If memory serves, SL7 has "Less Brittle Kerberos"[1] where as SL6 does > not. This could account for why one works and the other does not. > > Pat > > [1] https://fedoraproject.org/wiki/Features/LessBrittleKerberos > > On 10/18/2017 07:10 PM, Stephen Isard wrote: > >> On Wed, 18 Oct 2017 17:12:46 -0400, R P Herrold <herr...@owlriver.com> >> wrote: >> >> On Wed, 18 Oct 2017, Howard, Chris wrote: >>> >>> Is it possible the two boxes are talking to two different servers? >>>> >>> as the initial post mentioned and showed it was using remote >>> host lists to a pool alias, almost certainly -- >>> >> Oh, I took the question to be about the kerberos server. Yes, you are >> right, >> ntpd -q returns different results on the two machines. However, as I >> said in the original post, the time on the two machines is the same to >> within a very small amount., well within the five minute tolerance used by >> kerberos. So I don't understand why it should matter that the two machines >> have arrived at the same time by syncing with different servers. >> >> as a way around, set up ONE unit to act as the local master, >>> and then sync against it, to get 'site coherent' time >>> >> Could you tell me how to do this, or point me at a document that does? >> >> Thanks. >> >> [a person with more than one clock is never quite _sure_ what >>> time is correct ;) ] >>> >>> >>> for extra geek points, spend $25 on AMZN, and get a GPS USB >>> dongle; run a local top strata server (the first three >>> lintes of the following) >>> >>> [root@router etc]# ntpq -p >>> remote refid st t when poll reach delay >>> offset jitter >>> ============================================================ >>> ================= >>> GPS_NMEA(0) .GPS. 0 l - 16 0 0.000 >>> 0.000 0.000 >>> SHM(0) .GPS. 0 l - 16 0 0.000 >>> 0.000 0.000 >>> SHM(1) .PPS. 0 l - 16 0 0.000 >>> 0.000 0.000 >>> +ntp1.versadns.c .PPS. 1 u 665 1024 377 51.817 >>> -12.510 19.938 >>> *tock.usshc.com .GPS. 1 u 294 1024 377 34.608 >>> -8.108 10.644 >>> +clmbs-ntp1.eng. 130.207.244.240 2 u 429 1024 377 31.520 >>> -5.674 7.484 >>> +ntp2.sbcglobal. 151.164.108.15 2 u 272 1024 377 23.117 >>> -6.825 10.479 >>> +ntp3.tamu.edu 165.91.23.54 2 u 1063 1024 377 63.723 >>> -3.319 16.813 >>> [root@router etc]# >>> >>> >>> configuring ntp.conf is not all that hard >>> >>> -- Russ herrold >>> >> > -- > Pat Riehecky > > Fermi National Accelerator Laboratory > www.fnal.gov > www.scientificlinux.org >
