maximum clock tolerance

Mauricio Tavares raubvogel at gmail.com
Fri Jul 19 15:42:36 EDT 2013


On Fri, Jul 19, 2013 at 2:54 PM, Danilo Pessoa Cardoso
<danilo.cardoso at levelup.com.br> wrote:
> Hello guys,
>
> I have one doubt about Kerberos configuration: is it possible to
> configure the maximum clock tolerance ( default is 5 min) on a linux
> system?
>
      You mean http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/Clock-Skew.html?
>
>
> Just for your guys know, I need to do this because I currently have the
> following environment:
>
> *         Windows servers authenticating on AD using NTLM.
>
> *         Linux servers with local authentication that has to be in
> different clock times ( so I can't use ntp here)

      Care to elaborate? How different? Time zone different or
arbitrarily-set different (say, testing code)? Are they different
amongst the linux servers or only different between linux and the
other boxes?

>
> *         Macs workstations that need to authenticate on AD
>
> *         Windows 7 workstations currently authenticating on AD using
> NTLM.
>
>
>
> What I wanna do:
>
> *         Create a Kerberos server that will handle all authentication (
> linux + windows + macs) and manage the credentials on AD ( through LDAP)
>
>
>
> Problems I have encounter
>
> *         I can't synchronize the time on various servers ( I really
> can't), so, this machines wont log onto Kerberos
>
>
>
> In the AD exists a authentication option named "Maximum tolerance for
> computer clock synchronization" that  just "ignore" the time variation.
> So is there a way to do this kinda configuration on Kerberos Server (a
> debian )?
>
> Based on my environment, can you guys suggest me a "better" way to
> accomplish what I want to do!?
>
>
>
> Thanks all,
>
> Danilo P. Cardoso
>
> IT Security
>
> Level Up! Interactive S.A.
> Skype: danilopc.security
> Mail: danilo.cardoso at levelup.com.br
> <mailto:danilo.cardoso at levelup.com.br>
>
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos


More information about the Kerberos mailing list