Go to main content

Managing Kerberos in Oracle® Solaris 11.4

Exit Print View

Updated: August 2020

Synchronizing Clocks Between KDCs and Kerberos Clients

All hosts that participate in the Kerberos authentication system must have their internal clocks synchronized within a specified maximum amount of time (known as clock skew). This requirement provides another Kerberos security check. If the clock skew is exceeded between any of the participating hosts, client requests are rejected.

The clock skew also determines how long application servers must keep track of Kerberos protocol messages, in order to recognize and reject replayed requests. So, the longer the clock skew value, the more information that application servers have to collect.

The default value for the maximum clock skew is 300 seconds (five minutes). You can lower this default in the libdefaults section of the krb5.conf file.

Note -  For security reasons, do not increase the clock skew beyond 300 seconds.

Because maintaining synchronized clocks between the KDCs and Kerberos clients is important, use the Precision Time Protocol (PTP) or Network Time Protocol (NTP) software to synchronize the clocks. For how to configure clock synchronization in Oracle Solaris, see Managing Clock Synchronization in Oracle Solaris 11.4.

The NTP software is installed by default on most Oracle Solaris systems. You can install the PTP software by using the pkg install ptp command.

The following figure shows an example of NTP clock synchronization.

Figure 3  Synchronizing Clocks by Using NTP

image:Diagram shows a central NTP server as the master clock for             NTP clients and Kerberos clients that are running the ntpd             daemon.

    Ensuring that the KDCs and Kerberos clients maintain synchronized clocks involves implementing the following steps:

  1. Setting up a PTP or an NTP server on your Kerberos network. This server can be any system except the master KDC.

  2. As you configure the KDCs and Kerberos clients on the network, make them clients of the clock synchronization server. Return to the master KDC to configure the KDC as a client of the clock synchronization server.

  3. Enabling the clock synchronization service on all systems.

    For the procedures, see Managing Clock Synchronization in Oracle Solaris 11.4.