'why kerberos require computer clock synchronization?
the client node clock is deliberately set to 10 hours head of kdc
then run kinit and klist from client node
kinit does not complain,and klist can see the Ticket cache
~date -s 19:20:38
~kinit -kt /etc/kuduclient.keytab [email protected]
~klist
Ticket cache: KEYRING:persistent:0:0
Default principal: [email protected]
Valid starting Expires Service principal
11/11/2020 09:49:23 11/12/2020 09:11:00 krbtgt/[email protected]
renew until 11/18/2020 09:11:00
Solution 1:[1]
Time in Kerberos is relative. First, it's supposed to be based on the UTC time zone. If the 10 hour difference is just time-zone related, then the Kerberos stack will happily convert to UTC and all is well.
Second, many (most?) Kerberos stacks don't care about exact time, they care about the time relative to when the KDC thinks it is. What I mean by this is, the client can make a request to the KDC, and if the time is significantly out, the KDC will return an error including what it thinks is the current time. The client is free to resend the request with it's time augmented to be within the KDC's window. This still guarantees security correctness because the time constraints are still met from the perspective of the authority -- the KDC.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Steve |