So in our environment, we had 3 freeipa 4.9.11 servers (ipa4, ipa5, ipa6) in a replicated
setup, DL1, and a couple weeks ago, something happened that broke the replication between
the three of them. We were able to get ipa6 up and running and accepting clients, so we
shut down ipa4 and ipa5 and removed all replication agreements, ruvs, and topology
segments related to ipa4 and ipa5. We are trying to clean up ipa6 before attempting to
stand up new replicas, and we are stuck on this one problem: when running ipa-healthcheck,
it complains that the time skew is over 24 hours, specifically it is 30145 days off, a bit
over 82 years.
ipa6 ~ $ ipa-healthcheck
[
{
"source": "ipahealthcheck.ds.dse",
"check": "DSECheck",
"result": "CRITICAL",
"uuid": "ecc2c131-b86a-4851-a156-c304d77ebb0b",
"when": "20230822183329Z",
"duration": "0.012828",
"kw": {
"key": "DSSKEWLE0003",
"items": [
"Replication",
"dc=DOMAIN,dc=DOMAIN,dc=DOMAIN",
"Time Skew",
"Skew: 30145 days, 2 hours, 20 minutes, 16 seconds"
],
"msg": "The time skew is over 24 hours. Setting
nsslapd-ignore-time-skew\nto \"on\" on each replica will allow replication to
continue, but if the\ntime skew continues to increase other serious replication problems
can\noccur."
}
I was able to find mention of this method to correct time skew
issues:https://www.port389.org/docs/389ds/howto/howto-fix-and-reset-time-... , but
since we are now running on a single node with no replicas, I dont see how that would
help. How is it even possible to have a skew in time between replicas if there are no
replicas?
Thanks,
Kevin