kerberos "client and server clocks must be synchronized"

Posted on 2004-09-28
Last Modified: 2013-11-17
I am having an issue on AIX 4.3.3 with kerberos and sp complex,

after I built new keys on the control workstation which are under /tftpboot and place the new krb-srvtab files on all the systems I start haveing errors show up like the following:
(the xxx has been put in place of real names)

rcmdtgt:  2502-052 Error getting service ticket for
2504-037 Kerberos error: client and server clocks must be synchronized.
2502-603 You do not have Kerberos credentials.
kdestroy: 2502-000 No tickets to destroy.

checking the date shows i was off by as much as 40 minutes apart on 3 systems.. out of 10.
2 nodes on frame 1 and 1 of the nodes on frame 2, so its not frame specific.

after issuing the command on the cws  # dsh -av date 09281200.0004 to synchronize all the times and dates, I noticed after 15 minutes that those 3 systems are now 2 minutes behind still.

I issued the command on those nodes
# ntpdate –d <CWS en0 IP address>
# xntpdc -p
(they all came back with no errors)

still now after 30 minutes i show 3 minutes lost and counting on those nodes.
xntp is running on the cws. as well as all the nodes.
they were all rebooted 13 hours ago.

I also noticed that the /etc/ntp.drift file shows a very large negative number like
-28527.43530 and -28527.42709 and -28527.43530 for those 3 nodes.
versus a node that is stiill in sync. with a ntp.drift of 8.23453

can someone help???

Question by:magnixus
  • 3
  • 2
LVL 62

Expert Comment

ID: 12177966
You need to set up ntp to work perfectly:
One or two master servers where:
- ntp.conf points to server (local clock), which is unstable and free
- ntp.conf gathers time signals over internet, which is free and fairly accurate
- ntp feeds from some other GPS receiver or so (, which is a bit more accurate and costs some money
All others have ntp.conf pointing to those servers
Windows use w32tm service (aka "Windows Time", set by net time /setsntp:, checked by w32tm /once)

Author Comment

ID: 12182190
Thanks gheist , but we do not use the internet to gather signals, we have a company the SP nodes pull there signals from thier internal clock or the control workstation and the the control workstation pulls its signals from a company DNS server, which in turn gets a clock update from an atomic clock a via stratum system.

However I did fix it..

here is what I did.
- On each node I ran the following:
1. I edited the /etc/ntp.drift files by removing the negative -2xxxx.xxxxx number and added a 8.xxxx number in its place and saved it. ( i simply found a node who's clock was in constant sync and used the data from its ntp.drift file which was a 8.xxxxx number)

2. I killed the xntpd process

3. I ran the ntpdate -d (this updates the clock timestamps from the control workstation

4. I then restarted the xntpd process by running  rc.ntp

5. I then ran xntpdc -p

- Then on the control workstation I ran
#dsh -av date 09281715.00.04  
this syncs all the nodes clocks.
Its been 17 some hours and all is still in sync problem fixed.
(problem resolved myself) thanks for the input.
LVL 62

Accepted Solution

gheist earned 500 total points
ID: 12206102
1. 0.0 can be put in drift file, ntp then recalulates drifts, so nodes can run without ntp source for some time without external source
2. stopsrc/startsrc is correct way of restarting daemons
3. this was necessary because time offset on SP nodes was too big and xntpd was not syncing anymore
4. read 2
5. read 2

to sync date stopsrc xntpd ; ntpdate ntp_server ; echo 0.0 > /etc/ntp.drift ; startsrc xntpd is more than enough

older AIX has old xntpd, whish exits randomly when source is lost for prolonged period. adding server (always nonworking) will fix that exit problem, just as patching xntpd using ML patches

Author Comment

ID: 12842622

I commented that I fixed it anyhow. see Date: 09/29/2004 10:28AM PDT

I explain in detail what I did.

can I get my points back or however that works?

LVL 62

Expert Comment

ID: 12844250
I tried to point you to "correct" way of starting ntpd on AIX, nothing more.

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
FTP on FreeBSD server 2 141
reinstall 1 84
Sed question 2 100
Martian Packets Unix 5 67
This tech tip describes how to install the Solaris Operating System from a tape backup that was created using the Solaris flash archive utility. I have used this procedure on the Solaris 8 and 9 OS, and it shoudl also work well on the Solaris 10 rel…
Installing FreeBSD… FreeBSD is a darling of an operating system. The stability and usability make it a clear choice for servers and desktops (for the cunning). Savvy?  The Ports collection makes available every popular FOSS application and packag…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question