kdc_timesync
Ken Raeburn
raeburn at MIT.EDU
Wed Aug 16 05:02:47 EDT 2006
On Aug 16, 2006, at 01:44, preetam R wrote:
> As I under from the kerberos admin guide, the
> option, kdc_timesync enables the kerberos client to
> make up for the time difference between its system
> time and kdc's time.
>
> But, then does this mean that even the application
> server must also be in sync with kdc's time. Since,
> the timestamp used in the Service Ticket is based on
> kdc's time.
They're both required to be more or less in sync with the client, and
thus indirectly with each other. The kdc_timesync code just drops
the client's clock out of the equation, by finding an offset to
pretend that it's exactly synchronized with the KDC. (Though if the
clock drifts, or is adjusted to become in sync, using the old offset
can throw things off again.)
Ken
More information about the Kerberos
mailing list