Fixing clock skew
Ben Creech
bpcreech at eos.ncsu.edu
Fri May 23 18:09:26 EDT 2003
Yes, this was much easier than using the krb5_error. For my purposes, I
can just compare k5tgt.times.authtime to time(NULL), then fix the system
time and get the TGT again if necessary.
I could instead perform the correction when getting tickets, but I don't
think GSSAPI does this, so other kerberized programs might still get
screwed up.
> IIRC the MIT clients support the use of the time from the KDC's
> KRB-ERROR to retry using the apparent offset to the KDC's time. The
> ccache version 4 also supports storing this offset along with
> credentials in the ccache. So if you get your config file options
> right you can actually get time offsets from klist, authenticated time
> offsets, mind you.
>
> Cheers,
>
> Nico
More information about the krbdev
mailing list