Skip to main content
NetApp Knowledge Base

Can NTP time skew affect an ONTAP 9 system?

Views:
1,105
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
core
Last Updated:

​

Applies to

  • ONTAP 9
  • NTP
  • Snapshot
  • Time skew
  • Clock skew

Answer

Question: 

Is there is an option on ONTAP 9 to show or modify the time skew limit for NTP?

Answer:

No, the default value for maximum time skew for ONTAP is 1000 seconds, or approximately 16 minutes. The time skew can also be configured on the NTP server.

Question:

If an intruder successfully hacks our internal NTP service and changes the time which our NetApp systems get from these NTP servers, would be possible to delete Snapshots prior to the retention time if there is no maximum skew limit?

Answer:

No. It is important that the cluster have the correct date/time set, because job schedules, CIFS authentication, logging, and system processes rely on it. If the time difference is more than 5+ minutes, then you would lose CIFS authentication, preventing new sessions from being established. As ONTAP does not sync to the NTP server when the skew is too high, other time based considerations, like snapshot expirations, will not be affected.

Additional Information

For settings to control how large a clock skew ONTAP will accept in regards to Kerberos, see:

Modifying the CIFS server Kerberos security settings

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.