DST Time change

Durbin_Ron@emc.com Durbin_Ron at emc.com
Wed Dec 12 10:50:53 EST 2007 

How does MIT Kerberos support IPv6 addresses in the krb5.conf?
Specifically how does it distinguish between a ":" in the address and
the ":" delimiting the port number?

Example:

	192.168.100.20:20
	2002:8c8:0:2312:0:2:ac18:f412:20
How do we distinguish this?
This is the industry standard way.
[2002:8c8:0:2312:0:2:ac18:f412]:20

Ron

-----Original Message-----
From: kerberos-bounces at MIT.EDU [mailto:kerberos-bounces at MIT.EDU] On
Behalf Of Sam Hartman
Sent: Monday, March 05, 2007 7:17 PM
To: mayer at ntp.isc.org
Cc: Edgecombe, Jason; kerberos at MIT.EDU
Subject: Re: DST Time change

>>>>> "Danny" == Danny Mayer <mayer at ntp.isc.org> writes:

    Danny> Edgecombe, Jason wrote:
    >> Hi,
    >> 
    >> Should the upcoming DST time change have any impact on
    >> kerberos? As I recall, kerberos uses UTC for it's
    >> authentication requests. Is this correct?
    >> 

    Danny> Well, it's just a week away from the change to DST in the
    Danny> US. Now you ask? The answer is no, it only uses UTC.
    >> Will I see authentication failures from patched or unpatched
    >> windows/Linux/solaris machines assuming that someone hasn't
    >> manually tweaked the time?

    Danny> DST, etc. is only for display purposes. All underlying code
    Danny> uses UTC. If something fails to install the patches it
    Danny> really doesn't matter as it only affects what you see for
    Danny> files. You should worry about your syslog being off by an
    Danny> hour as with the Windows eventlog, but failures you won't
    Danny> see because of it.

You're overlooking a lot of complexity.  Most computers (with the
exception of systems that only run Unix) tend to store the hardware
clock in local time not UTC.  So, rebooting during the DST period may
well cause your idea of UTC to be off by an hour.  Similarly if you go
futz the time because you think DST has started and your computer does
not, you will get things to be off by an hour.

This will break Kerberos.  My recommendation is to find out how to set
the clockskew for your implementation to some value greater than an
hour and do that.

--Sam

________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list