All hosts that participate in the Kerberos authentication system must have their internal clocks synchronized within a specified maximum amount of time (known as clock skew). This requirement provides another Kerberos security check. If the clock skew is exceeded between any of the participating hosts, client requests are rejected.
The clock skew also determines how long application servers must keep track of Kerberos protocol messages, in order to recognize and reject replayed requests. So, the longer the clock skew value, the more information that application servers have to collect.
The default value for the maximum clock skew is 300 seconds (five minutes). You can change this default in the libdefaults section of the krb5.conf file.
Because maintaining synchronized clocks between the KDCs and Kerberos clients is important, use the Network Time Protocol (NTP) software to synchronize them. NTP public domain software from the University of Delaware is included in the Oracle Solaris software. Documentation is available from NTP Documentation.
NTP enables you to manage precise time or network clock synchronization, or both, in a network environment. NTP is a server-client protocol. One system is the master clock, the NTP server. All other systems are NTP clients that synchronize their clocks with the master clock. To synchronize the clocks, NTP uses the xntpd daemon, which sets and maintains a UNIX system time-of-day in agreement with Internet standard time servers. The following figure shows an example of this server-client NTP implementation.
Figure 4-1 Synchronizing Clocks by Using NTP
Ensuring that the KDCs and Kerberos clients maintain synchronized clocks involves implementing the following steps:
Setting up an NTP server on your network. This server can be any system, except the master KDC.
As you configure the KDCs and Kerberos clients on the network, setting them up to be NTP clients of the NTP server. Return to the master KDC to configure it as an NTP client.
Enabling the NTP service on all systems.