From Fedora Project Wiki
Description
Demonstrate that MIT Kerberos 1.11 no longer requires clients to synchronize their system clocks with that of the KDC.
Setup
- Perform prerequisite setup before you run these tests.
- You need a domain account, either a user or administrator.
- Get the client's current system time.
$ date
Mon Mar 11 15:47:05 EDT 2013
- Set the system time on the client to be between one and two hours ahead.
sudo date -s "next hour"
sudo date -s "next hour"
- Yeah, running it twice is a simple way to do that
How to test
- Use an Active Directory domain user account to authenticate to the Active Directory server using kinit
$ kinit user@AD.EXAMPLE.COM
Password for user@AD.EXAMPLE.COM
- Make sure that you capitalize the domain name.
- If the above fails with 'Preauthentication failed' then you probably typed the wrong password.
- There should be no output from this command.
Expected Results
- Check that you have an appropriate entry in your credentials cache using the klist command.
$ klist
- You should see a line that has a service principal named "krbtgt/AD.EXAMPLE.COM@AD.EXAMPLE.COM"
More: Other time offsets
Try setting other time offsets to break kerberos clock syncing:
- More than a day backwards
- More than a day forwards
- Small amount of time backwards
Troubleshooting
If you want to file a bug related to this issue, run the command with the the KRB5_TRACE=/dev/stderr environment variable, like this:
$ KRB5_TRACE=/dev/stderr kinit user@AD.EXAMPLE.COM
To set the time back to normal, do this:
$ sudo ntpdate pool.ntp.org