[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Compatibility problem?

On Mon, 28 Apr 2008 16:17:50 +0200 (CEST)
<alexander.behrend@arcor.de> wrote:

> Hi Subscribers,
> is don't know if I am at the right place for my question, but I have a problem
> with Heimdal Kerberos. 
> First I obtain a ticket, what works.
> When I try to connect I get the "Clock skew too great in KDC reply error".
> I have done all possible research on the internet to investigate the problem.
> I did timesyncs, timezonesettings to solve, but nothing helps.
> My Systems
>     Server
>     Heimdal 1.1 on Suse Linux 10.3
>     Client
>     Windows Vista
>     to get Tickets: MIT Network Identity Manager
>     Client Programs: Putty and WinSCP (show the same clock skew error)
> I had made some tries with changing time at my client machine hour per hour,
> when time was nearly equal, it shows "Clock skew too great in KDC reply" and if
> time differs it shows me only "clock skew too great".
> Do you have any idea?

Hi Alexander,

The "Clock skew too great" error means that the time difference between
the client and the KDC and the server hosting the Kerberos service being
accessed is too large (usually around 5 minutes).

I have seen this problem many times and in every case, despite customers
claiming otherwise, the problem always turned out to be that the clocks
where in fact not correct.

You must simply carefully examine the time on all three machines involved
- the client, the KDC and the server (sounds like the SSH server in this
case) and fix the time using 'ntpdate ntp.suse.de' or whatever method.

I recently ran into someone who had this error and insisted that their
clocks were correct. Turned out they were only looking at the time but
the *day* was off by one. And still they had the same "Clock skew too
great" error. Finally they gave me RDC access and I found that the time
was set to AM and not PM. Apparently the customer was using the "time"
command at a command prompt which without the /T flag does not show you
AM vs PM and they assumed it was correct.


Michael B Allen
PHP Active Directory SPNEGO SSO