-
Title
FAQs on Authentication Services time synchronization or clock skew too great message -
Description
How does time synchronization work? What does vasd check to make sure that the unix host is in time sync? -
Resolution
The system clock of a client machine should be roughly synchronized with the system clock of the Active Directory (AD) Domain Controller. In order to authenticate with Active Directory, which includes joins and unjoins the Authentication Services client server needs to be within five minutes clock time with AD itself. Time synchronization between domain controllers and Windows clients is handled automatically. To ensure time synchronization Unix hosts may require additional configuration. If there is a significant difference between the system clock of the client machine and the AD Domain Controller the following error message will be displayed:
"Could not authenticate, error = Clock skew too great."
To correct a clock skew on the Unix host run/opt/quest/bin/vastool timesync command
This will synchronize the host's system clock to within 1 second of the Domain Controller for the domain the host is joined to. The vasd daemon also contains a Simple Network Time Protocol (SNTP) implementation that will continue to keep the host's system clock roughly synchronized with the domain time.
There are situations where it is not advisable to use vastool timesync. If the host is already configured to use Network Time Protocol (NTP) to synchronize the system clock with corporate time service, then the time should be synchronized already. If a clock skew occurs on a system running NTP, then there is either an error in the NTP configuration (/etc/ntp.conf) or the domain time itself has become unsynchronized.
Another situation that requires special attention is when the Unix host is running software that is time sensitive. Certain transactional databases and distributed systems react badly if the system clock is changed abruptly. If the Unix host is running time sensitive software NTP should be used instead of vastool timesync to synchronize time. For more information on NTP, please consult your Unix OS documentation. -
Additional Information
The vasd daemon will operate as a time synchronization agent for the Unix host if no other process is using the NTP port (123). It looks at port 123 when it starts up, and if is not bound (i.e. the port is open) then vasd will query Active Directory Domain Controllers for the current time and ensure that the Unix host's clock is synchronized so that Kerberos operations work correctly. Furthermore, if port 123 is open, then every 12 hours (default timesync interval) vasd will do a timesync against AD, setting the system clock to the appropriate time.
You can set the vas.conf setting by running the following command to disable vastool timesync: /opt/quest/bin/vastool configure vas vasd timesync-interval 0
The daemon has SNTP implemented in a programmatical sense (as a thread) - not as a file.
- The option to control how often it synchronizes is in vas.conf under the [vasd] section, called "timesync-interval".
- Value is in hours.
- A setting of 0 disables time-sync.
- A setting of -1 (or any negative number) is a fail-over that makes it happen every minute, this is useful for virtual machines that can quickly lose time-sync with a DC due to the nature of keeping time on a virtual machine.