...
In order to prevent intruders from resetting their system clocks in order to continue to use expired tickets, Kerberos V5 is set up to reject ticket requests from any host whose clock is not within the specified maximum clock skew of the KDC (as specified in the kdc.conf file). Similarly, hosts are configured to reject responses from any KDC whose clock is not within the specified maximum clock skew of the host (as specified in the krb5.conf file). The default value for maximum clock skew is 300 seconds, or five minutes. One possible way of avoiding any Kerberos related problems as a result of the DST rule changes is to change the allowable clock skew from 5 minutes to 1 hour and 5 minutes. It is important to understand that this does have security implications. This document is not recommending that any site necessarily use this approach.
| No Format |
|---|
krb5.conf and kdc.conf [libdefaults] clockskew = 3900 |
Sets the maximum allowable amount of clockskew in seconds that the library will tolerate before assuming that a Kerberos message is invalid. The default value is 300 seconds, or five minutes.
...