🟑 Medium   ⏱ 5–30 min  Last verified: 19 May 2026
Affected versions: RHEL 10

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Clock drift causes Kerberos failures, TLS validation errors, and inconsistent logs across nodes.

Environment & Reproduction

Appears when NTP sources are unreachable or blocked by firewall policy.

timedatectl status
chronyc sources -v
chronyc tracking

Root Cause Analysis

Chrony cannot reach preferred sources or receives invalid responses due to network filtering and bad server entries.

Quick Triage

Confirm daemon state and UDP/123 reachability.

systemctl status chronyd
firewall-cmd --list-services
nc -uvz ntp1.example.com 123 || true

Step-by-Step Diagnosis

Inspect chrony config and synchronization diagnostics.

grep -E '^(server|pool|makestep)' /etc/chrony.conf
journalctl -u chronyd -n 80 --no-pager
chronyc sourcestats -v
Illustrative mockup for rhel-10 β€” terminal_or_shell
Investigating chronyd sync status β€” Illustrative mockup β€” Progressive Robot

Solution – Primary Fix

Set valid internal NTP servers, allow service in firewalld, and restart chronyd.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

sudo sed -i '/^pool /d' /etc/chrony.conf
sudo tee -a /etc/chrony.conf >/dev/null <<'EOF'
server ntp1.example.com iburst
server ntp2.example.com iburst
makestep 1.0 3
EOF
sudo firewall-cmd --add-service=ntp --permanent
sudo firewall-cmd --reload
sudo systemctl restart chronyd
Illustrative mockup for rhel-10 β€” log_or_config
Correcting chrony server configuration β€” Illustrative mockup β€” Progressive Robot

Solution – Alternative Approaches

Use hardware clock sync and local fallback source for disconnected segments.

sudo chronyc -a makestep
sudo hwclock --systohc

Verification & Acceptance Criteria

System reports synchronized state and stable offset.

timedatectl show -p NTPSynchronized
chronyc tracking
chronyc sources -v

Rollback Plan

Restore previous chrony config if custom source set fails.

sudo cp /etc/chrony.conf.bak /etc/chrony.conf
sudo systemctl restart chronyd

Prevention & Hardening

Monitor stratum and offset metrics and keep at least two reachable enterprise sources.

systemctl enable --now chronyd
chronyc activity

Related to domain auth failures, expired cert checks, and skewed distributed tracing timelines.

Related tutorial: View the step-by-step tutorial for rhel-10.

View all rhel-10 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

RHEL chrony administration and time synchronization best practices documentation.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.