[1239] in Kerberos
Re: Time Synchronization for IBM VM and MVS System
daemon@ATHENA.MIT.EDU (smb@ulysses.att.com)
Fri Feb 8 15:07:35 1991
From: smb@ulysses.att.com
To: Richard Hintz <OPSRJH@uccvma.ucop.edu>
Cc: Galina Kofman <GALINA@IBM.COM>, kerberos@ATHENA.MIT.EDU,
Date: Fri, 08 Feb 91 14:33:37 EST
On Thu, 7 Feb 91 14:54:31 EST you said:
>***** Reply to your note of: Thu, 7 Feb 91 12:12:04 EST *************
*****
>We at IBM recognize the necessity of time synchronization.
>We looking into possibility of implementing ntp or dtp.
I guess I understand from this reply is that it is technically
not possible to use VM as a Kerberos authentication server for
application clients and servers not residing on the same
machine.
I fear I'm sadly misunderstanding the problem. Kerberos does not require
closely-synchronized clocks. As I recall the README files and installation
manuals, the default clock skew is 5 minutes. Unless the drift is very
bad -- not my (comparatively ancient) experience with IBM mainframes --
this shouldn't be a problem. (Assuming, of course, that whoever set the
time didn't get the year wrong or some such...)
Granted, NTP can't be used unless someone implements a robotic arm to flip the
clock enable switch. But surely someone can set the time to within a
few seconds of UTC without particular trauma. And, while that's not
nearly good enough for distributed file systems, it's more than ample
for current Kerberos implementations.
