Re: kerberos and time zone

Ken Raeburn wrote:
On Apr 17, 2009, at 05:02, Ken Raeburn wrote:
On Apr 17, 2009, at 04:36, Andrea Cirulli wrote:
Hi all,

I have the following problem:

We are managing the authentication of several servers with
Kerberos. The
issue lies in the fact that the servers are in different time-zone,
so we
have problem with clock skew errors. Are there any solution or
workaround
that accomplish this requirement using different ntp in different
time zone
in a way that the KDC server knows which is the real clock skew
between two
different time zone?
The time synchronized by NTP is not zone-dependent. Think of it as
getting all machines to agree on what the current UTC time is; the
local time each machine displays will be correct as long as the
machine (including the NTP service) is configured correctly.

I neglected to mention this in my previous message, but the Kerberos
protocol uses UTC time. This is why getting all machines to agree on
UTC (which NTP should do, when configured correctly) is important, and
the time-zone problems we used to see (mostly on really old Windows
systems, I think) were important even if the displayed local time was
correct.

Let me respond in my capacity as one of the NTP developers.

NTP deals only with UTC. It knows nothing about local timezones. All
national labs that have time standard setups have atomic clocks that
agree with each other to the order of nanoseconds based on the weighted
average of about 250 atomic clocks at the International Bureau of
Weights and Measures in Paris. Kerberos only needs to two systems to be
within 5 minutes of each other by default, which is hardly an onerous
requirement since ntp will keep the clocks within milliseconds of each
other.

In other words, as long as you are running NTP on each system and they
are synching to their servers you have nothing to worry about.
Disagreements between ntp servers based in different countries are too
small for you to measure using ordinary methods.

I hope this helps.

Danny

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

.

Relevant Pages

  • Re: NTP authentication using kerberos
    ... Is it possible to use kerberos in authentication with an ntp server? ... In the handbook regarding kerberos (and nearly every other ... And so far I have only found simple key authentication similar to dhcp ... It's good for NTP servers, ...
    (freebsd-questions)
  • Re: NTP authentication using kerberos
    ... Is it possible to use kerberos in authentication with an ntp server? ... In the handbook regarding kerberos (and nearly every other ... And so far I have only found simple key authentication similar to dhcp ... if you have your own heirarchy of Stratum 1 and perhaps Stratum 2 servers and accurate timing really is critical for you. ...
    (freebsd-questions)
  • Re: How to create a manageable DMZ architecture?
    ... Kerberos, NTP, DNS queries & xfers, etc, that I need my servers on my ... After doing a little DMZ ... All use Kerberos for sign-on. ...
    (comp.security.firewalls)
  • Re: Setting Up NTP Subnet
    ... > I have questions regarding best practices on architecture of NTP ... > it sufficient to use multiple GPS receivers with ACTS dial ... The lower the stratum the bigger the ... servers and that the servers at this level should peer. ...
    (comp.protocols.time.ntp)
  • Re: Proposed NTP solution for a network
    ... Locations A and B have a large community of Suse 10.x Enterprise servers, each with very stringent requirements to have time be very closely "in sync" with each other at that site, as well as at the other site. ... Each of A, B, and C have a dedicated NTP appliance, with integrated GPS receiver and antenna on the roof. ... there is no provision on the enclosure to accept a PPS or other time source for distribution to the individual blades using a backplane mechanisim. ...
    (comp.protocols.time.ntp)