DST Time change

Danny Mayer mayer at ntp.isc.org
Mon Mar 5 22:13:26 EST 2007 

Sam Hartman wrote:
>>>>>> "Danny" == Danny Mayer <mayer at ntp.isc.org> writes:
> 
>     Danny> Edgecombe, Jason wrote:
>     >> Hi,
>     >> 
>     >> Should the upcoming DST time change have any impact on
>     >> kerberos? As I recall, kerberos uses UTC for it's
>     >> authentication requests. Is this correct?
>     >> 
> 
>     Danny> Well, it's just a week away from the change to DST in the
>     Danny> US. Now you ask? The answer is no, it only uses UTC.
>     >> Will I see authentication failures from patched or unpatched
>     >> windows/Linux/solaris machines assuming that someone hasn't
>     >> manually tweaked the time?
> 
>     Danny> DST, etc. is only for display purposes. All underlying code
>     Danny> uses UTC. If something fails to install the patches it
>     Danny> really doesn't matter as it only affects what you see for
>     Danny> files. You should worry about your syslog being off by an
>     Danny> hour as with the Windows eventlog, but failures you won't
>     Danny> see because of it.
> 
> You're overlooking a lot of complexity.  Most computers (with the
> exception of systems that only run Unix) tend to store the hardware
> clock in local time not UTC.  So, rebooting during the DST period may
> well cause your idea of UTC to be off by an hour.  Similarly if you go
> futz the time because you think DST has started and your computer does
> not, you will get things to be off by an hour.
> 

Well, yes, in a way. But the biggest affect, as long as you don't do
anything during the changeover is that your syslog or eventlog will be
off by an hour along with the display of your clock, files and anything
else that displays a timestamp. My point was that Kerberos uses UTC.
Anything else would prevent Kerberos from working in the first place.

> This will break Kerberos.  My recommendation is to find out how to set
> the clockskew for your implementation to some value greater than an
> hour and do that.
> 

Well that's what we keep telling people. Contact the O/S vendor and get
whatever fixes are necessary for your version of the O/S. We get this
questions every spring and autumn and our answer is always the same.
It's a bit more frequent this time around since the US decided to change
the date of the change to and from DST. We also had questions last
December when Australia changed times (in Western Australia?). BTW we
don't call this clockskew (but then NTP doesn't know anything else
outside of UTC), we just talk about localtime or display time if we have to.

Danny
NTP Development

> --Sam
> 
>

More information about the Kerberos mailing list