[krbdev.mit.edu #7130] kinit to AD server should be more tolerant of clock skew
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Fri May 11 12:49:21 EDT 2012
Since the introduction of the get_init_creds interfaces, we have been
including a start time in all initial ticket requests, not just ones where
the caller asked for a specific start time. The start time is ignored by
MIT and Heimdal KDCs for non-postdated requests, but AD will reply with an
error if the requested start time is in the future relative to the KDC,
defeating the kdc_timesync option in one direction.
This change in the gic behavior also disabled the client check for too
much clock skew in the KDC reply, since that check only operates if the
start time was omitted in the request.
More information about the krb5-bugs
mailing list