On Aug 16, 2006, at 01:44, preetam R wrote: > As I under from the kerberos admin guide, the > option, kdc_timesync enables the kerberos client to > make up for the time difference between its system > time and kdc's time. > > But, then does this mean that even the application > server must also be in sync with kdc's time. Since, > the timestamp used in the Service Ticket is based on > kdc's time.
They're both required to be more or less in sync with the client, and thus indirectly with each other. The kdc_timesync code just drops the client's clock out of the equation, by finding an offset to pretend that it's exactly synchronized with the KDC. (Though if the clock drifts, or is adjusted to become in sync, using the old offset can throw things off again.) Ken ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
