Question about clock skew error handling

Sriram Nambakam snambakam at
Fri May 16 13:50:05 EDT 2008

We would appreciate it if someone could shed more light on the right way
to handle clock skew errors from Kerberos.


When krb5_get_init_creds_password is called, krb5_get_in_tkt  in
get_in_tkt.c is called. That function sends the KRB5_AS_REQ and receives
the reply. Here is the code which looks at the error reply:

    if ((retval = send_as_request(context, &request, &time_now,

                      &as_reply, &use_master)))

        goto cleanup;


    if (err_reply) {

        if (err_reply->error == KDC_ERR_PREAUTH_REQUIRED &&

            err_reply->e_data.length > 0) {

        retval = decode_krb5_padata_sequence(&err_reply->e_data,


        krb5_free_error(context, err_reply);

        if (retval)

            goto cleanup;


        } else {

           retval = (krb5_error_code) err_reply->error  +

           krb5_free_error(context, err_reply);

           goto cleanup;


    } else if (!as_reply) {



If the server replies with an error that is not
KDC_ERR_PREAUTH_REQUIRED, like KRB_AP_ERR_SKEW, then the error code is
returned and the rest of the krb5_error structure is thrown away. We
would like to use the stime field of the krb5_error structure to
automatically synchronize the clock with krb5_set_real_time.


Is it deliberate that Krb5 does not want to let the API have access to
the real time reported in the clock skew error?


Is it okay to patch Krb5 to have this functionality?


Some of our vendors use a time service such as NTP.

Also, we provide our own time sync service, wherein we can query an
active directory domain controller to get the current time and sync the
system time appropriately. However, there are still some cases where we
get Kerberos errors with respect to clock skew.




More information about the krbdev mailing list