[28899] in Kerberos
RE: DST Time change
daemon@ATHENA.MIT.EDU (Durbin_Ron@emc.com)
Wed Dec 12 10:51:30 2007
From: Durbin_Ron@emc.com
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Wed, 12 Dec 2007 10:50:53 -0500
Message-ID: <97982DAF1EA1494DB6C65C2EEAA6296108DBC266@CORPUSMX40B.corp.emc.com>
In-Reply-To: <tslhcsz3yl0.fsf@cz.mit.edu>
To: <kerberos@mit.edu>
Cc: ietf-krb-wg@anl.gov
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
How does MIT Kerberos support IPv6 addresses in the krb5.conf?
Specifically how does it distinguish between a ":" in the address and
the ":" delimiting the port number?
Example:
192.168.100.20:20
2002:8c8:0:2312:0:2:ac18:f412:20
How do we distinguish this?
This is the industry standard way.
[2002:8c8:0:2312:0:2:ac18:f412]:20
Ron
-----Original Message-----
From: kerberos-bounces@MIT.EDU [mailto:kerberos-bounces@MIT.EDU] On
Behalf Of Sam Hartman
Sent: Monday, March 05, 2007 7:17 PM
To: mayer@ntp.isc.org
Cc: Edgecombe, Jason; kerberos@MIT.EDU
Subject: Re: DST Time change
>>>>> "Danny" == Danny Mayer <mayer@ntp.isc.org> writes:
Danny> Edgecombe, Jason wrote:
>> Hi,
>>
>> Should the upcoming DST time change have any impact on
>> kerberos? As I recall, kerberos uses UTC for it's
>> authentication requests. Is this correct?
>>
Danny> Well, it's just a week away from the change to DST in the
Danny> US. Now you ask? The answer is no, it only uses UTC.
>> Will I see authentication failures from patched or unpatched
>> windows/Linux/solaris machines assuming that someone hasn't
>> manually tweaked the time?
Danny> DST, etc. is only for display purposes. All underlying code
Danny> uses UTC. If something fails to install the patches it
Danny> really doesn't matter as it only affects what you see for
Danny> files. You should worry about your syslog being off by an
Danny> hour as with the Windows eventlog, but failures you won't
Danny> see because of it.
You're overlooking a lot of complexity. Most computers (with the
exception of systems that only run Unix) tend to store the hardware
clock in local time not UTC. So, rebooting during the DST period may
well cause your idea of UTC to be off by an hour. Similarly if you go
futz the time because you think DST has started and your computer does
not, you will get things to be off by an hour.
This will break Kerberos. My recommendation is to find out how to set
the clockskew for your implementation to some value greater than an
hour and do that.
--Sam
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
