client's system clock is ahead of KDC system clock
Nico Williams
nico at cryptonector.com
Tue Jan 29 18:33:47 EST 2013
On Tue, Jan 29, 2013 at 5:09 PM, Marcus Watts <mdw at umich.edu> wrote:
>> Hi, if a client's system clock is one hour ahead of KDC system clock, should I
>> get a valid TGT?, or
>> should I get clock skewed error?
>>
>> We have clients that are able to get TGT when system clock is ahead of server c
>> lock. Any idea if this is client issue? a KDC server issue?
>> Thanks
>
> Actually it's a perfectly valid case (so far as the kdc is concerned);
> you're just getting postdated tickets that will be valid in one hour.
> So if you're patient...
But the clients generally don't specify a "from" time. And to get a
postdated ticket the client would have to set the postdated flag.
In practice it will work (see Greg's reply).
> The more interesting case is if the clock is only a fraction
> of a second fast. This isn't a problem for users, but it
> is a problem for scripts that get a ticket and immediately use
> it: the result is sometimes the ticket will work, and
> sometimes it won't.
That's within the typical (default) skew allowance of 5 minutes.
Nico
--
More information about the Kerberos
mailing list