πŸ”΄ Critical   ⏱ 5–30 min  Last verified: 19 May 2026
Affected versions: RHEL 10

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution β€” Primary Fix
  7. Solution β€” Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Authentication to directory services fails intermittently due to excessive clock skew.

Environment & Reproduction

Observed on VMs with unstable host time source or blocked NTP traffic.

timedatectl status ; chronyc tracking

Root Cause Analysis

chronyd has unreachable or poor-quality sources, leading to unsynchronized system time.

Quick Triage

Check sync state, source reachability, and chronyd service logs.

chronyc sources -v ; systemctl status chronyd ; sudo journalctl -u chronyd -n 80

Step-by-Step Diagnosis

Verify NTP servers, network egress on UDP 123, and large offset history.

grep -v '^#' /etc/chrony.conf ; sudo firewall-cmd --list-services ; chronyc sourcestats -v
Illustrative mockup for rhel-10 β€” chrony-drift-log
chronyd offset and source instability β€” Illustrative mockup β€” Progressive Robot

Solution β€” Primary Fix

Set reliable time sources, enable chronyd at boot, and perform controlled makestep.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

sudo sed -i 's/^pool.*/server time1.example.com iburst
server time2.example.com iburst/' /etc/chrony.conf ; sudo systemctl enable --now chronyd ; sudo chronyc makestep
Illustrative mockup for rhel-10 β€” chrony-drift-fix
Synchronized clock and healthy sources β€” Illustrative mockup β€” Progressive Robot

Solution β€” Alternative Approaches

Use local stratum servers or virtualization host passthrough time when network isolation applies.

Verification & Acceptance Criteria

Clock must report synchronized with low offset and stable source reach.

timedatectl show -p NTPSynchronized --value ; chronyc tracking ; chronyc sources -v

Rollback Plan

Revert chrony.conf from backup and restart chronyd if new servers are unreliable.

sudo cp /etc/chrony.conf.bak /etc/chrony.conf ; sudo systemctl restart chronyd

Prevention & Hardening

Monitor drift and source reachability, and alert before Kerberos skew thresholds are hit.

Frequently appears with SSSD login issues and certificate validation failures.

Related tutorial: View the step-by-step tutorial for rhel-10.

View all rhel-10 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

chrony project docs and Red Hat time synchronization recommendations.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.