Using kerberos ticket on web browsers

Diego Lima diego-lima at prodesan.com.br
Fri Dec 8 08:11:44 EST 2006


First of all, I'd like to thank you all for helping me out. I finally found
what was causing the problems. I took a look at krb5kdc.log and I found this:

Dec 07 15:57:00 estagiario6 krb5kdc[22882](info): TGS_REQ (1 etypes {1})
192.168.130.223: PROCESS_TGS: authtime 0,  <unknown client> for
HTTP/estagiario6.sso.com.br at SSO.COM.BR, Clock skew too great

I know it sounds stupid, but it never ocurred to me to check krb5kdc log
before, since I was able to get tickets using kinit both from windows and
linux. Indeed we had done a bit of "hacking" around our linux time in order to
be able to properly sync windows stations using net time. 

The moment I got a NTP server on the network and set the clocks right it began
working (following Grolms's site recommendtions).

I'm wondering now why is kerberos more strict about service tickets when it
comes to clock skew (I assumed that since I could still get tickets using
kinit), but I'm going to read through some documentation to find that out.

Thanks again,

--
Diego Alencar Alves de Lima
DINF - Prodesan (http://www.prodesan.com.br)
Prefeitura Municipal de Santos (http://www.santos.sp.gov.br)


-- 
Esta mensagem foi verificada pelo sistema de antivírus e
 acredita-se estar livre de perigo.




More information about the Kerberos mailing list