...
| No Format |
|---|
[libdefaults]
kdc_timesync
|
Setting this variable to 1 enables Kerberos clients to automatically correct for a difference between the local clock and the clock used by the KDC. Note that you will need to set ccache_type to a value of 4 to use this feature.
...
Please note that the KDC's clock and the application servers' clocks still need to be synchronized within the limits imposed by the allowable clock skew. It is strongly recommended that the KDC and application servers use NTP to ensure their clocks are synchronized.
How to increase to allowable time skew from 5 min to 1 hr and 5 min
Kerberos' use of timestamps is primarily intended to prevent replay attacks. In other words the protocol is designed to prevent an attacker from using previously captured network traffic and resubmitting it in order to gain unauthorized access to systems. The default allowable clock skew in most Kerberos deployments is five minutes. One possible way of avoiding any Kerberos related problems as a result of the DST rule changes is to change the allowable clock skew from 5 minutes to 1 hour and 5 minutes.
The following deployment scenarios describe the expected effect of the DST rules changes on environments using Kerberos.
...