On Thu, 2011-07-07 at 01:59 -0400, Chris Hecker wrote: > One more question about user-to-user: the FAQ says that the "Clocks > Adrift" paper's solution for not forcing clients to have synced clocks > is implemented in krb5. How does this relate to user-to-user sessions?
This should work for user-to-user sessions. When a client gets initial credentials, it learns its clock skew relative to the KDC. (For processes which come in later, the clock skew is remembered in file-based ccaches. If you use a different type of ccache, such as a Linux keyring cache, this mechanism may not work.) So both clients should be pretending that their time is the KDC's time for the purpose of Kerberos operations. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
