kerberos and time zone

Ken Raeburn raeburn at MIT.EDU
Fri Apr 17 05:02:11 EDT 2009


On Apr 17, 2009, at 04:36, Andrea Cirulli wrote:
> Hi all,
>
> I have the following problem:
>
> We are managing the authentication of several servers with Kerberos.  
> The
> issue lies in the fact that the servers are in different time-zone,  
> so we
> have problem with clock skew errors. Are there any solution or  
> workaround
> that accomplish this requirement using different ntp in different  
> time zone
> in a way that the KDC server knows which is the real clock skew  
> between two
> different time zone?

The time synchronized by NTP is not zone-dependent.  Think of it as  
getting all machines to agree on what the current UTC time is; the  
local time each machine displays will be correct as long as the  
machine (including the NTP service) is configured correctly.

> Let's say i have a server located in Rome and its time is synch with  
> an
> italian ntp and we have a server located in New York with time synch  
> with an
> American NTP. Considering the time zone the two times are synch,  
> however for
> kerberos are desynch.

That shouldn't be a problem if the NTP servers are accurate.

A common time-sync problem we used to see in Kerberos is for machines  
in different time zones to have their clocks set by hand to the  
correct local time, but for the local time zone information to be set  
incorrectly so that the machines' ideas of UTC differ.  (You'd also  
see a local display of the time zone to be incorrect, but since many  
clock programs only display the time and not the time zone, it would  
be easy to miss.)  This can happen, for example, if your OS  
installation software sets some default time zone and you don't fix  
it, or if you move an installed machine across time zones and "fix"  
the clock instead of setting the correct time zone.  I've never heard  
of this happening with NTP though; the implementations should be using  
the operating system's notion of UTC.

If you're still seeing this problem with NTP, I strongly suggest you  
investigate why the NTP servers disagree.  (One possibility that  
occurs to me is that they might be mistakenly configured to  
synchronize to locally-set servers that have bad time zone settings  
and no synchronization to stratum-1 time servers.)

Ken



More information about the Kerberos mailing list