regarding clock skew difference between client and KDC
Danny Mayer
mayer at ntp.isc.org
Mon Sep 3 14:40:46 EDT 2007
ESWAR wrote:
> On Aug 24, 7:53 am, Danny Mayer <ma... at ntp.isc.org> wrote:
>
>> That violates the RFC requirements. No server will or should allow you
>> to do that. Why are you not synchronizing your clocks? NTP is available
>> on just about all platforms so there's no reason not to use it.
>>
>>> Please give me some suggestion how I can do this.
>> You can't.
>>
>> Danny
>
> I wanted to use Kerberos authentication from machine which is not
> joined to domain. so Time should effect my authentication process.
> Even Client has different time then KDC time it should authenticate.
Please understand the answer that I gave you above. You cannot
authenticate a client who's UTC time is different by more than 5 minutes
from the KDC's UTC time. Anything else would be a protocol and a
security violation.
> Where can i change in MIT source code.
You can't.
> so i wanted to use KDC System time and use the same all the places
> where it is refering get local system time.
Install NTP everywhere and point them to 3-4 good NTP sources.
>
> what are all problems i will get if do this.
>
You will fail to authenticate. See RFC 1510 Section 3.2.3.
Danny
P.S. All questions should go to the mailing list and not to me personally.
More information about the Kerberos
mailing list