-f option with kinit

Jeffrey Hutzelman jhutz at cmu.edu
Wed Oct 8 11:47:26 EDT 2008

--On Wednesday, October 08, 2008 08:46:45 AM -0400 Ken Raeburn 
<raeburn at mit.edu> wrote:

> On Oct 8, 2008, at 03:18, Xu, Qiang (FXSGSC) wrote:
>> Just want to know if there is any way to avoid the error of
>> KRB5KRB_AP_ERR_SKEW? It seems a time synchronization problem. Must I
>> enable NTP to make the time in accordance with the counter part in
>> Kerberos server?
> The KDC will send this back if your client uses a preauth scheme which
> carries as part of its protocol a timestamp; you could change the
> client not to use these preauth schemes I suppose.

He could, though I'm not sure we have a good alternative at the moment.

>  Or alter the KDC
> either not to implement the check, or to allow a much larger maximum
> clock skew.

I'd avoid doing this.  The time check is there for a reason; if you're 
going to disable it you may as well not use preauth at all.

A better option than either of these, if you can do it, is to just make 
sure your clients actually have correct time to begin with.  Running an NTP 
client on every machine is a good way to accomplish this.

-- Jeff

More information about the krbdev mailing list