kerberos and time zone
Ken Raeburn
raeburn at MIT.EDU
Fri Apr 17 05:02:11 EDT 2009
On Apr 17, 2009, at 04:36, Andrea Cirulli wrote:
> Hi all,
>
> I have the following problem:
>
> We are managing the authentication of several servers with Kerberos.
> The
> issue lies in the fact that the servers are in different time-zone,
> so we
> have problem with clock skew errors. Are there any solution or
> workaround
> that accomplish this requirement using different ntp in different
> time zone
> in a way that the KDC server knows which is the real clock skew
> between two
> different time zone?
The time synchronized by NTP is not zone-dependent. Think of it as
getting all machines to agree on what the current UTC time is; the
local time each machine displays will be correct as long as the
machine (including the NTP service) is configured correctly.
> Let's say i have a server located in Rome and its time is synch with
> an
> italian ntp and we have a server located in New York with time synch
> with an
> American NTP. Considering the time zone the two times are synch,
> however for
> kerberos are desynch.
That shouldn't be a problem if the NTP servers are accurate.
A common time-sync problem we used to see in Kerberos is for machines
in different time zones to have their clocks set by hand to the
correct local time, but for the local time zone information to be set
incorrectly so that the machines' ideas of UTC differ. (You'd also
see a local display of the time zone to be incorrect, but since many
clock programs only display the time and not the time zone, it would
be easy to miss.) This can happen, for example, if your OS
installation software sets some default time zone and you don't fix
it, or if you move an installed machine across time zones and "fix"
the clock instead of setting the correct time zone. I've never heard
of this happening with NTP though; the implementations should be using
the operating system's notion of UTC.
If you're still seeing this problem with NTP, I strongly suggest you
investigate why the NTP servers disagree. (One possibility that
occurs to me is that they might be mistakenly configured to
synchronize to locally-set servers that have bad time zone settings
and no synchronization to stratum-1 time servers.)
Ken
More information about the Kerberos
mailing list