DST Time change
Durbin_Ron@emc.com
Durbin_Ron at emc.com
Wed Dec 12 10:50:53 EST 2007
How does MIT Kerberos support IPv6 addresses in the krb5.conf?
Specifically how does it distinguish between a ":" in the address and
the ":" delimiting the port number?
Example:
192.168.100.20:20
2002:8c8:0:2312:0:2:ac18:f412:20
How do we distinguish this?
This is the industry standard way.
[2002:8c8:0:2312:0:2:ac18:f412]:20
Ron
-----Original Message-----
From: kerberos-bounces at MIT.EDU [mailto:kerberos-bounces at MIT.EDU] On
Behalf Of Sam Hartman
Sent: Monday, March 05, 2007 7:17 PM
To: mayer at ntp.isc.org
Cc: Edgecombe, Jason; kerberos at MIT.EDU
Subject: Re: DST Time change
>>>>> "Danny" == Danny Mayer <mayer at ntp.isc.org> writes:
Danny> Edgecombe, Jason wrote:
>> Hi,
>>
>> Should the upcoming DST time change have any impact on
>> kerberos? As I recall, kerberos uses UTC for it's
>> authentication requests. Is this correct?
>>
Danny> Well, it's just a week away from the change to DST in the
Danny> US. Now you ask? The answer is no, it only uses UTC.
>> Will I see authentication failures from patched or unpatched
>> windows/Linux/solaris machines assuming that someone hasn't
>> manually tweaked the time?
Danny> DST, etc. is only for display purposes. All underlying code
Danny> uses UTC. If something fails to install the patches it
Danny> really doesn't matter as it only affects what you see for
Danny> files. You should worry about your syslog being off by an
Danny> hour as with the Windows eventlog, but failures you won't
Danny> see because of it.
You're overlooking a lot of complexity. Most computers (with the
exception of systems that only run Unix) tend to store the hardware
clock in local time not UTC. So, rebooting during the DST period may
well cause your idea of UTC to be off by an hour. Similarly if you go
futz the time because you think DST has started and your computer does
not, you will get things to be off by an hour.
This will break Kerberos. My recommendation is to find out how to set
the clockskew for your implementation to some value greater than an
hour and do that.
--Sam
________________________________________________
Kerberos mailing list Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list