From Fedora Project Wiki
(Simpler command for setting the date) |
(Change testing of short offsets first) |
||
| Line 7: | Line 7: | ||
#: <pre> $ date </pre> | #: <pre> $ date </pre> | ||
#: <pre> Mon Mar 11 15:47:05 EDT 2013 </pre> | #: <pre> Mon Mar 11 15:47:05 EDT 2013 </pre> | ||
# Set the system time on the client to be | # Set the system time on the client to be between one and two hours ahead. | ||
#: <pre>sudo date -s " | #: <pre>sudo date -s "next hour"</pre> | ||
#: <pre>sudo date -s "next hour"</pre> | |||
#: Yeah, running it twice is a simple way to do that | |||
|actions= | |actions= | ||
# Use an Active Directory domain user account to authenticate to the Active Directory server using kinit | # Use an Active Directory domain user account to authenticate to the Active Directory server using kinit | ||
| Line 25: | Line 27: | ||
Try setting other time offsets to break kerberos clock syncing: | Try setting other time offsets to break kerberos clock syncing: | ||
* More than a day | * More than a day backwards | ||
* | * More than a day forwards | ||
* Small amount of time backwards | |||
== Troubleshooting == | == Troubleshooting == | ||
Revision as of 07:18, 9 May 2013
Description
Demonstrate that MIT Kerberos 1.11 no longer requires clients to synchronize their system clocks with that of the KDC.
Setup
- Perform prerequisite setup before you run these tests.
- You need a domain account, either a user or administrator.
- Get the client's current system time.
$ date
Mon Mar 11 15:47:05 EDT 2013
- Set the system time on the client to be between one and two hours ahead.
sudo date -s "next hour"
sudo date -s "next hour"
- Yeah, running it twice is a simple way to do that
How to test
- Use an Active Directory domain user account to authenticate to the Active Directory server using kinit
$ kinit user@AD.EXAMPLE.COM
Password for user@AD.EXAMPLE.COM
- Make sure that you capitalize the domain name.
- If the above fails with 'Preauthentication failed' then you probably typed the wrong password.
- There should be no output from this command.
Expected Results
- Check that you have an appropriate entry in your credentials cache using the klist command.
$ klist
- You should see a line that has a service principal named "krbtgt/AD.EXAMPLE.COM@AD.EXAMPLE.COM"
More: Other time offsets
Try setting other time offsets to break kerberos clock syncing:
* More than a day backwards * More than a day forwards * Small amount of time backwards
Troubleshooting
If you want to file a bug related to this issue, run the command with the the KRB5_TRACE=/dev/stderr environment variable, like this:
$ KRB5_TRACE=/dev/stderr kinit user@AD.EXAMPLE.COM