DST Time change

Sam Hartman hartmans at MIT.EDU
Mon Mar 5 21:17:15 EST 2007


>>>>> "Danny" == Danny Mayer <mayer at ntp.isc.org> writes:

    Danny> Edgecombe, Jason wrote:
    >> Hi,
    >> 
    >> Should the upcoming DST time change have any impact on
    >> kerberos? As I recall, kerberos uses UTC for it's
    >> authentication requests. Is this correct?
    >> 

    Danny> Well, it's just a week away from the change to DST in the
    Danny> US. Now you ask? The answer is no, it only uses UTC.
    >> Will I see authentication failures from patched or unpatched
    >> windows/Linux/solaris machines assuming that someone hasn't
    >> manually tweaked the time?

    Danny> DST, etc. is only for display purposes. All underlying code
    Danny> uses UTC. If something fails to install the patches it
    Danny> really doesn't matter as it only affects what you see for
    Danny> files. You should worry about your syslog being off by an
    Danny> hour as with the Windows eventlog, but failures you won't
    Danny> see because of it.

You're overlooking a lot of complexity.  Most computers (with the
exception of systems that only run Unix) tend to store the hardware
clock in local time not UTC.  So, rebooting during the DST period may
well cause your idea of UTC to be off by an hour.  Similarly if you go
futz the time because you think DST has started and your computer does
not, you will get things to be off by an hour.

This will break Kerberos.  My recommendation is to find out how to set
the clockskew for your implementation to some value greater than an
hour and do that.

--Sam




More information about the Kerberos mailing list