Why use krb5_set_real_time() instead of NTP ?

Stefan (metze) Metzmacher metze at samba.org
Wed May 10 09:17:36 GMT 2006

Hash: SHA1

Gerald (Jerry) Carter schrieb:
> Luke Howard wrote:
>>> Well, you don't have to change the system time (of course whether
>>> you securely know what the KDC time is is another matter).
>>> >From the Heimdal code:
>>> /*
>>>  * Set the absolute time that the caller knows the kdc has so the
>>>  * kerberos library can calculate the relative diffrence beteen the
>>>  * KDC time and local system time.
>>>  */
> Luke,
> Maybe I'm being dense here, but is this really the case of
> a user space application working around trying to work around
> an unsynchronized system clock on the client ?

Hi Jerry,

that's what windows also does.

When windows gets the CLOCK_SKEW error to a kdc request it uses the time
field in the error response and then retries the request. It also looks
at the error string fieled in this case, I assume the NTSTATUS code
should be in there to make this work.

I fixed this against samba4 by sending no error string at all, at the
windows clients are happy to retry against samba4 now too.

Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the samba-technical mailing list