client's system clock is ahead of KDC system clock
Greg Hudson
ghudson at MIT.EDU
Tue Jan 29 18:04:45 EST 2013
On 01/29/2013 05:43 PM, Jim Shi wrote:
> Hi, if a client's system clock is one hour ahead of KDC system clock, should I get a valid TGT?, or
> should I get clock skewed error?
With MIT krb5, it depends on the client version, the value of the
kdc_timesync variable in [libdefaults] (which defaults to true), and
whether you are using encrypted timestamp preauth. I believe the matrix is:
In 1.11:
* kdc_timesync on: success with or without preauth
* kdc_timesync off: failure with or without preauth
Prior to 1.11:
* kdc_timesync on: failure with preauth, success without
* kdc_timesync off: failure with preauth, success (sort of) without
I say "sort of" in the final case because the client will store the TGT,
but won't make successful TGS requests because it won't adjust its
authenticator timestamps to match the clock skew.
More information about the Kerberos
mailing list