From Fedora Project Wiki

(Add troubleshooting, trim page)
(Set time back easily)
 
(4 intermediate revisions by the same user not shown)
Line 2: Line 2:
 
|description=Demonstrate that MIT Kerberos 1.11 no longer requires clients to synchronize their system clocks with that of the KDC.
 
|description=Demonstrate that MIT Kerberos 1.11 no longer requires clients to synchronize their system clocks with that of the KDC.
 
|setup=
 
|setup=
# [[Features/ActiveDirectory/TestBed|Verify that your ActiveDirectory domain access works]]. If you don't have an Active Directory domain, you can [[Features/ActiveDirectory/TestBed|set one up]].
+
# Perform [[QA:Testcase_kerberos_setup|prerequisite setup]] before you run these tests.
# You need a domain account, either a user or administrator. It's useful to test with both.
+
# You need a domain account, either a user or administrator.
# Make sure you have krb5-workstation-1.11 or later installed.
 
 
# Get the client's current system time.
 
# Get the client's current system time.
 
#: <pre> $ date </pre>
 
#: <pre> $ date </pre>
 
#: <pre> Mon Mar 11 15:47:05 EDT 2013 </pre>
 
#: <pre> Mon Mar 11 15:47:05 EDT 2013 </pre>
# Set the system time on the client to be more than 24 hours ahead of the client's current system time. This will ensure that the client and Active Directory server's clocks are not synchronized.
+
# Set the system time on the client to be between one and two hours ahead.
#: <pre> $ sudo date -s "12 MAR 2013 15:47:05 EDT" </pre>
+
#: <pre>sudo date -s "next hour"</pre>
#: <pre> Tue Mar 12 15:47:05 EDT 2013</pre>
+
#: <pre>sudo date -s "next hour"</pre>
 +
#: Yeah, running it twice is a simple way to do that
 
|actions=
 
|actions=
 
# Use an Active Directory domain user account to authenticate to the Active Directory server using kinit
 
# Use an Active Directory domain user account to authenticate to the Active Directory server using kinit
Line 27: Line 27:
  
 
Try setting other time offsets to break kerberos clock syncing:
 
Try setting other time offsets to break kerberos clock syncing:
* More than a day backward
+
* More than a day backwards
* Less than a day backwards/forwards
+
* More than a day forwards
 +
* Small amount of time backwards
  
 
== Troubleshooting ==
 
== Troubleshooting ==
Line 35: Line 36:
  
 
<pre>$ KRB5_TRACE=/dev/stderr kinit user@AD.EXAMPLE.COM</pre>
 
<pre>$ KRB5_TRACE=/dev/stderr kinit user@AD.EXAMPLE.COM</pre>
 +
 +
To set the time back to normal, do this:
 +
 +
<pre>$ sudo ntpdate pool.ntp.org </pre>
  
 
[[Category:Active_Directory_Test_Cases]] [[Category:Kerberos_Test_Cases]]
 
[[Category:Active_Directory_Test_Cases]] [[Category:Kerberos_Test_Cases]]

Latest revision as of 07:19, 9 May 2013

Description

Demonstrate that MIT Kerberos 1.11 no longer requires clients to synchronize their system clocks with that of the KDC.

Setup

  1. Perform prerequisite setup before you run these tests.
  2. You need a domain account, either a user or administrator.
  3. Get the client's current system time.
     $ date 
     Mon Mar 11 15:47:05 EDT 2013 
  4. Set the system time on the client to be between one and two hours ahead.
    sudo date -s "next hour"
    sudo date -s "next hour"
    Yeah, running it twice is a simple way to do that

How to test

  1. Use an Active Directory domain user account to authenticate to the Active Directory server using kinit
    $ kinit user@AD.EXAMPLE.COM
    Password for user@AD.EXAMPLE.COM
    • Make sure that you capitalize the domain name.
    • If the above fails with 'Preauthentication failed' then you probably typed the wrong password.
    • There should be no output from this command.

Expected Results

  1. Check that you have an appropriate entry in your credentials cache using the klist command.
    $ klist
    • You should see a line that has a service principal named "krbtgt/AD.EXAMPLE.COM@AD.EXAMPLE.COM"



More: Other time offsets

Try setting other time offsets to break kerberos clock syncing:

  • More than a day backwards
  • More than a day forwards
  • Small amount of time backwards

Troubleshooting

If you want to file a bug related to this issue, run the command with the the KRB5_TRACE=/dev/stderr environment variable, like this:

$ KRB5_TRACE=/dev/stderr kinit user@AD.EXAMPLE.COM

To set the time back to normal, do this:

$ sudo ntpdate pool.ntp.org