On 08/23/2017 05:23 AM, Benjamin N Hall wrote: > We recently started testing pre-authentication for certain principals, and > I'm seeing an odd issue whereby kinit fails with "Clock skew too great > while getting initial credentials", despite all three KDCs and the client > systems' time being within one second of each other. [...] > The part that seems interesting to me is that the pre-auth encrypted > timestamp appears to be off by way more than 5 minutes from the other > timestamps.
The encrypted timestamp is unexpectedly for 1234 seconds in the future. The only explanation I can think of is that you had a pre-existing ccache with a recorded time offset of roughly 20 minutes. For various reasons I'm not sure that's the right explanation. If you can investigate with a debugger, I would be very interested in knowing the actual cause. The client code in 1.12 and later will use the timestamp sent by the KDC in its PREAUTH_REQUIRED error (assuming kdc_timesync is set to true, which it is by default), which would likely suppress this problem. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
