Clock skew too great status code

Arpit Srivastava arpit.orb at gmail.com
Thu Feb 6 09:24:36 EST 2014


Thanks Greg and Niko

I am using MIT Kerberos at client side and AD as KDC.

I am using 8 hrs lifetime for TGT.
Now,
When I increase the time at client side, say 2015, I get following error
codes.
gss_inquire_cred
maj_stat = 720896, min_stat = 100001
gss_init_sec_context
maj_stat = 851968, min_stat = 100005

When I decrease the time at client side, say 2013, I get following error
codes.
gss_inquire_cred
maj_stat = 0, min_stat = 0
gss_init_sec_context
maj_stat = 851968, min_stat = 100005

How to handle such situations ? because I am not getting clock skew error
even once (I get it only at the time of kinit).
Pls advice how to handle clock-related problems at client-side.

Arpit






On Thu, Feb 6, 2014 at 1:17 AM, Nico Williams <nico at cryptonector.com> wrote:

> On Wed, Feb 5, 2014 at 11:05 AM, Greg Hudson <ghudson at mit.edu> wrote:
> > This could all work better if krb5 had used a ticket lifetime instead of
> > an end time (like krb4 did, but without the crazy 8-bit representation
> > of the lifetime).  But the protocol was designed under the assumption
> > that clients, servers, and KDCs would all have mostly synchronized
> > clocks, so it went with the simplification of always using absolute
> > timestamps and never relative intervals.
>
> And yet implementation-wise relative times are still needed...  I
> agree, 'twould have been better to have relative lifetime.
>


More information about the Kerberos mailing list