Recently, I upgraded the FreeIPA server for my network to the latest version (4.8.10). Some strange things related to authentication started to happen with some services on my network.
For our Web site, netlify gotrue is used to enable users to login using SAML Single Sign-On. This started to fail due to this error:
SAML response has invalid time
For our discourse based forum, users started to experience failure to login using Google Single Sign-On. Again, it is time related:
Unable to verify authorization token due to server clock differences. Please try again.
So I check the time on the servers, they all have a few seconds differences from each other.
All my nodes use chronyd to manage NTP service. When run
chronyc sources -v
I found that all of the NTP client show something like this:
210 Number of sources = 1
.-- Source mode '^' = server, '=' = peer, '#' = local clock.
/ .- Source state '*' = current synced, '+' = combined , '-' = not combined,
| / '?' = unreachable, 'x' = time may be in error, '~' = time too variable.
|| .- xxxx [ yyyy ] +/- zzzz
|| Reachability register (octal) -. | xxxx = adjusted offset,
|| Log2(Polling interval) --. | | yyyy = measured offset,
|| \ | | zzzz = estimated error.
|| | | \
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^? ipa.example.com 0 8 0 - +0ns[ +0ns] +/- 0ns
It means that the NTP server is not reachable. No wonder the times are out of sync.
So I checked on my IPA server, it turns out that the new version of FreeIPA server default to disable the NTP server and does not allow external NTP clients to access. The NTP port 123
is not open:
ss -lnp | grep "123"
This shows nothing.
To fix, edit /etc/chrony/chrony.conf
, and add
allow all
local stratum 10
Then systemctl restart chronyd
to restart the server.
On the client nodes, do the same, now the time should be synced.
210 Number of sources = 1
.-- Source mode '^' = server, '=' = peer, '#' = local clock.
/ .- Source state '*' = current synced, '+' = combined , '-' = not combined,
| / '?' = unreachable, 'x' = time may be in error, '~' = time too variable.
|| .- xxxx [ yyyy ] +/- zzzz
|| Reachability register (octal) -. | xxxx = adjusted offset,
|| Log2(Polling interval) --. | | yyyy = measured offset,
|| \ | | zzzz = estimated error.
|| | | \
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* ipa.example.com 4 7 377 73 +360us[ +447us] +/- 28ms
All those pesky authentication problems went away.
Comments
comments powered by Disqus