Fixing clock skew

Ben Creech bpcreech at
Fri May 23 18:09:26 EDT 2003

Yes, this was much easier than using the krb5_error.  For my purposes, I 
can just compare k5tgt.times.authtime to time(NULL), then fix the system 
time and get the TGT again if necessary.

I could instead perform the correction when getting tickets, but I don't 
think GSSAPI does this, so other kerberized programs might still get 
screwed up.

> IIRC the MIT clients support the use of the time from the KDC's
> KRB-ERROR to retry using the apparent offset to the KDC's time.  The
> ccache version 4 also supports storing this offset along with
> credentials in the ccache.  So if you get your config file options
> right you can actually get time offsets from klist, authenticated time
> offsets, mind you.
> Cheers,
> Nico

More information about the krbdev mailing list