[31003] in Kerberos
Re: kerberos and time zone
daemon@ATHENA.MIT.EDU (Ken Raeburn)
Fri Apr 17 05:15:55 2009
From: Ken Raeburn <raeburn@mit.edu>
To: Andrea Cirulli <acirulli@gmail.com>
In-Reply-To: <C83549D9-4448-4915-9C59-4C824E122E0A@mit.edu>
Message-Id: <605215DE-5882-4D3B-883A-D48B81542CFB@mit.edu>
Mime-Version: 1.0 (Apple Message framework v930.3)
Date: Fri, 17 Apr 2009 05:15:43 -0400
Cc: Kerberos mailing list <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Apr 17, 2009, at 05:02, Ken Raeburn wrote:
> On Apr 17, 2009, at 04:36, Andrea Cirulli wrote:
>> Hi all,
>>
>> I have the following problem:
>>
>> We are managing the authentication of several servers with
>> Kerberos. The
>> issue lies in the fact that the servers are in different time-zone,
>> so we
>> have problem with clock skew errors. Are there any solution or
>> workaround
>> that accomplish this requirement using different ntp in different
>> time zone
>> in a way that the KDC server knows which is the real clock skew
>> between two
>> different time zone?
>
> The time synchronized by NTP is not zone-dependent. Think of it as
> getting all machines to agree on what the current UTC time is; the
> local time each machine displays will be correct as long as the
> machine (including the NTP service) is configured correctly.
I neglected to mention this in my previous message, but the Kerberos
protocol uses UTC time. This is why getting all machines to agree on
UTC (which NTP should do, when configured correctly) is important, and
the time-zone problems we used to see (mostly on really old Windows
systems, I think) were important even if the displayed local time was
correct.
Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
