[31001] in Kerberos
RE: kerberos and time zone
daemon@ATHENA.MIT.EDU (Xu, Qiang (FXSGSC))
Fri Apr 17 05:00:06 2009
From: "Xu, Qiang (FXSGSC)" <Qiang.Xu@fujixerox.com>
To: Andrea Cirulli <acirulli@gmail.com>, "kerberos@mit.edu" <kerberos@mit.edu>
Date: Fri, 17 Apr 2009 16:59:27 +0800
Message-ID: <D8C9BC7FFCF8154FB7141EB8DB609C172905FB4CB6@SGPAPHQ-EXSCC01.dc01.fujixerox.net>
In-Reply-To: <191a80d00904170151o44e7239cub279589dafcf998f@mail.gmail.com>
Content-Language: en-US
MIME-Version: 1.0
X-MAIL-FROM: <qiang.xu@fujixerox.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Another walkaround I can think of is to adjust the time zone difference specifically when you do Kerberos authentication. Let's say there is an application called netAuthService that takes care of authentication. Then if you can detect your authentication type is Kerberos, then you tweak your time in your authentication request to within the timezone of your Kerberos server.
Is this feasible?
________________________________
From: Andrea Cirulli [mailto:acirulli@gmail.com]
Sent: Friday, April 17, 2009 4:52 PM
To: Xu, Qiang (FXSGSC); kerberos@mit.edu
Subject: Re: kerberos and time zone
Obviously it is not possible....I cannot make such a decision, because there are sensible data that needs that time is synch with the country in which are located.
So there is no solution?
On Fri, Apr 17, 2009 at 10:43 AM, Xu, Qiang (FXSGSC) <Qiang.Xu@fujixerox.com<mailto:Qiang.Xu@fujixerox.com>> wrote:
Why not let your server sync with American NTP server?
> -----Original Message-----
> From: kerberos-bounces@mit.edu<mailto:kerberos-bounces@mit.edu>
> [mailto:kerberos-bounces@mit.edu<mailto:kerberos-bounces@mit.edu>] On Behalf Of Andrea Cirulli
> Sent: Friday, April 17, 2009 4:37 PM
> To: kerberos@mit.edu<mailto:kerberos@mit.edu>
> Subject: kerberos and time zone
>
> Hi all,
>
> I have the following problem:
>
> We are managing the authentication of several servers with
> Kerberos. The issue lies in the fact that the servers are in
> different time-zone, so we have problem with clock skew
> errors. Are there any solution or workaround that accomplish
> this requirement using different ntp in different time zone
> in a way that the KDC server knows which is the real clock
> skew between two different time zone?
>
> Let's say i have a server located in Rome and its time is
> synch with an italian ntp and we have a server located in New
> York with time synch with an American NTP. Considering the
> time zone the two times are synch, however for kerberos are desynch.
>
> Is there any workaround or solution to this issue?
>
> We are planning to use a bigger clock skew which will cover
> the difference between the two time zones ( this is the worst
> solution).
>
> Any hint would be helpful.
>
> Thanks in advance.
>
> --
> Andrea Cirulli
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu<mailto:Kerberos@mit.edu>
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Andrea Cirulli
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
