All hosts that participate in the Kerberos authentication system must have their internal clocks synchronized within a specified maximum amount of time (known as clock skew). This requirement provides another Kerberos security check. If the clock skew is exceeded between any of the participating hosts, client requests are rejected.
The clock skew also determines how long application servers must keep track of Kerberos protocol messages, in order to recognize and reject replayed requests. So, the longer the clock skew value, the more information that application servers have to collect.
The default value for the maximum clock skew is 300 seconds (five minutes). You can lower this default in the libdefaults section of the krb5.conf file.
Because maintaining synchronized clocks between the KDCs and Kerberos clients is important, use the Precision Time Protocol (PTP) or Network Time Protocol (NTP) software to synchronize the clocks. For how to configure clock synchronization in Oracle Solaris, see Enhancing System Performance Using Clock Synchronization and Web Caching in Oracle Solaris 11.3.
The NTP software is installed by default on most Oracle Solaris systems. You can install the PTP software by using the pkg install ptp command.
The following figure shows an example of NTP clock synchronization.
Figure 6 Synchronizing Clocks by Using NTP
Ensuring that the KDCs and Kerberos clients maintain synchronized clocks involves implementing the following steps:
Setting up a PTP or an NTP server on your Kerberos network. This server can be any system except the master KDC.
As you configure the KDCs and Kerberos clients on the network, make them clients of the clock synchronization server. Return to the master KDC to configure the KDC as a client of the clock synchronization server.
Enabling the clock synchronization service on all systems.
For the procedures, see Enhancing System Performance Using Clock Synchronization and Web Caching in Oracle Solaris 11.3.