Ken Raeburn raeburn at MIT.EDU
Wed Aug 16 05:02:47 EDT 2006

On Aug 16, 2006, at 01:44, preetam R wrote:
>    As I under from the kerberos admin guide, the
> option, kdc_timesync enables the kerberos client to
> make up for the time difference between its system
> time and kdc's time.
>    But, then does this mean that even the application
> server must also be in sync with kdc's time. Since,
> the timestamp used in the Service Ticket is based on
> kdc's time.

They're both required to be more or less in sync with the client, and  
thus indirectly with each other.  The kdc_timesync code just drops  
the client's clock out of the equation, by finding an offset to  
pretend that it's exactly synchronized with the KDC.  (Though if the  
clock drifts, or is adjusted to become in sync, using the old offset  
can throw things off again.)


More information about the Kerberos mailing list