kdc_timesync - Kerberos

This is a discussion on kdc_timesync - Kerberos ; Hi, As I under from the kerberos admin guide, the option, kdc_timesync enables the kerberos client to make up for the time difference between its system time and kdc's time. But, then does this mean that even the application server ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: kdc_timesync

  1. kdc_timesync

    Hi,

    As I under from the kerberos admin guide, the
    option, kdc_timesync enables the kerberos client to
    make up for the time difference between its system
    time and kdc's time.

    But, then does this mean that even the application
    server must also be in sync with kdc's time. Since,
    the timestamp used in the Service Ticket is based on
    kdc's time.

    Thanks,
    Preetam

    __________________________________________________
    Do You Yahoo!?
    Tired of spam? Yahoo! Mail has the best spam protection around
    http://mail.yahoo.com
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: kdc_timesync

    On Aug 16, 2006, at 01:44, preetam R wrote:
    > As I under from the kerberos admin guide, the
    > option, kdc_timesync enables the kerberos client to
    > make up for the time difference between its system
    > time and kdc's time.
    >
    > But, then does this mean that even the application
    > server must also be in sync with kdc's time. Since,
    > the timestamp used in the Service Ticket is based on
    > kdc's time.


    They're both required to be more or less in sync with the client, and
    thus indirectly with each other. The kdc_timesync code just drops
    the client's clock out of the equation, by finding an offset to
    pretend that it's exactly synchronized with the KDC. (Though if the
    clock drifts, or is adjusted to become in sync, using the old offset
    can throw things off again.)

    Ken


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: kdc_timesync

    preetam R wrote:
    > Hi,
    >
    > As I under from the kerberos admin guide, the
    > option, kdc_timesync enables the kerberos client to
    > make up for the time difference between its system
    > time and kdc's time.
    >
    > But, then does this mean that even the application
    > server must also be in sync with kdc's time. Since,
    > the timestamp used in the Service Ticket is based on
    > kdc's time.
    >
    > Thanks,
    > Preetam


    Install NTP on all systems. That way you avoid the problem in the first
    place. The limit between two systems using Kerberos is 5 minutes which
    is hardly an onerous requirement.

    Danny
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread