kerberos and time zone

Danny Mayer mayer at ntp.isc.org
Wed Apr 22 19:57:22 EDT 2009


Ken Raeburn wrote:
> On Apr 17, 2009, at 05:02, Ken Raeburn wrote:
>> On Apr 17, 2009, at 04:36, Andrea Cirulli wrote:
>>> Hi all,
>>>
>>> I have the following problem:
>>>
>>> We are managing the authentication of several servers with  
>>> Kerberos. The
>>> issue lies in the fact that the servers are in different time-zone,  
>>> so we
>>> have problem with clock skew errors. Are there any solution or  
>>> workaround
>>> that accomplish this requirement using different ntp in different  
>>> time zone
>>> in a way that the KDC server knows which is the real clock skew  
>>> between two
>>> different time zone?
>> The time synchronized by NTP is not zone-dependent.  Think of it as  
>> getting all machines to agree on what the current UTC time is; the  
>> local time each machine displays will be correct as long as the  
>> machine (including the NTP service) is configured correctly.
> 
> I neglected to mention this in my previous message, but the Kerberos  
> protocol uses UTC time.  This is why getting all machines to agree on  
> UTC (which NTP should do, when configured correctly) is important, and  
> the time-zone problems we used to see (mostly on really old Windows  
> systems, I think) were important even if the displayed local time was  
> correct.

Let me respond in my capacity as one of the NTP developers.

NTP deals only with UTC. It knows nothing about local timezones. All
national labs that have time standard setups have atomic clocks that
agree with each other to the order of nanoseconds based on the weighted
average of about 250 atomic clocks at the International Bureau of
Weights and Measures in Paris. Kerberos only needs to two systems to be
within 5 minutes of each other by default, which is hardly an onerous
requirement since ntp will keep the clocks within milliseconds of each
other.

In other words, as long as you are running NTP on each system and they
are synching to their servers you have nothing to worry about.
Disagreements between ntp servers based in different countries are too
small for you to measure using ordinary methods.

I hope this helps.

Danny

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.




More information about the Kerberos mailing list