maximum clock tolerance

Greg Hudson ghudson at MIT.EDU
Fri Jul 19 18:13:07 EDT 2013


On 07/19/2013 02:54 PM, Danilo Pessoa Cardoso wrote:
> I have one doubt about Kerberos configuration: is it possible to
> configure the maximum clock tolerance ( default is 5 min) on a linux
> system?

The "clockskew" variable in [libdefaults] in krb5.conf should set the
tolerance for the purpose of processing TGS-REQ and AP-REQ messages,
among other things.  Specify the value in seconds; the default is 300.
You will need to set it on server machines as well as the KDC.  If the
clock skew exceeds the ticket lifetime such that tickets appear to the
server to be expired, GSSAPI applications may not work.



More information about the Kerberos mailing list