From Fedora Project Wiki
(Add troubleshooting, trim page) |
(Set time back easily) |
||
| (4 intermediate revisions by the same user not shown) | |||
| Line 2: | Line 2: | ||
|description=Demonstrate that MIT Kerberos 1.11 no longer requires clients to synchronize their system clocks with that of the KDC. | |description=Demonstrate that MIT Kerberos 1.11 no longer requires clients to synchronize their system clocks with that of the KDC. | ||
|setup= | |setup= | ||
# [[ | # Perform [[QA:Testcase_kerberos_setup|prerequisite setup]] before you run these tests. | ||
# You need a domain account, either a user or administrator | # You need a domain account, either a user or administrator. | ||
# Get the client's current system time. | # Get the client's current system time. | ||
#: <pre> $ date </pre> | #: <pre> $ date </pre> | ||
#: <pre> Mon Mar 11 15:47:05 EDT 2013 </pre> | #: <pre> Mon Mar 11 15:47:05 EDT 2013 </pre> | ||
# Set the system time on the client to be | # Set the system time on the client to be between one and two hours ahead. | ||
#: <pre> | #: <pre>sudo date -s "next hour"</pre> | ||
#: <pre> | #: <pre>sudo date -s "next hour"</pre> | ||
#: Yeah, running it twice is a simple way to do that | |||
|actions= | |actions= | ||
# Use an Active Directory domain user account to authenticate to the Active Directory server using kinit | # Use an Active Directory domain user account to authenticate to the Active Directory server using kinit | ||
| Line 27: | Line 27: | ||
Try setting other time offsets to break kerberos clock syncing: | Try setting other time offsets to break kerberos clock syncing: | ||
* More than a day backwards | |||
* More than a day forwards | |||
* Small amount of time backwards | |||
== Troubleshooting == | == Troubleshooting == | ||
| Line 35: | Line 36: | ||
<pre>$ KRB5_TRACE=/dev/stderr kinit user@AD.EXAMPLE.COM</pre> | <pre>$ KRB5_TRACE=/dev/stderr kinit user@AD.EXAMPLE.COM</pre> | ||
To set the time back to normal, do this: | |||
<pre>$ sudo ntpdate pool.ntp.org </pre> | |||
[[Category:Active_Directory_Test_Cases]] [[Category:Kerberos_Test_Cases]] | [[Category:Active_Directory_Test_Cases]] [[Category:Kerberos_Test_Cases]] | ||
Latest revision as of 07:19, 9 May 2013
Description
Demonstrate that MIT Kerberos 1.11 no longer requires clients to synchronize their system clocks with that of the KDC.
Setup
- Perform prerequisite setup before you run these tests.
- You need a domain account, either a user or administrator.
- Get the client's current system time.
$ date
Mon Mar 11 15:47:05 EDT 2013
- Set the system time on the client to be between one and two hours ahead.
sudo date -s "next hour"
sudo date -s "next hour"
- Yeah, running it twice is a simple way to do that
How to test
- Use an Active Directory domain user account to authenticate to the Active Directory server using kinit
$ kinit user@AD.EXAMPLE.COM
Password for user@AD.EXAMPLE.COM
- Make sure that you capitalize the domain name.
- If the above fails with 'Preauthentication failed' then you probably typed the wrong password.
- There should be no output from this command.
Expected Results
- Check that you have an appropriate entry in your credentials cache using the klist command.
$ klist
- You should see a line that has a service principal named "krbtgt/AD.EXAMPLE.COM@AD.EXAMPLE.COM"
More: Other time offsets
Try setting other time offsets to break kerberos clock syncing:
- More than a day backwards
- More than a day forwards
- Small amount of time backwards
Troubleshooting
If you want to file a bug related to this issue, run the command with the the KRB5_TRACE=/dev/stderr environment variable, like this:
$ KRB5_TRACE=/dev/stderr kinit user@AD.EXAMPLE.COM
To set the time back to normal, do this:
$ sudo ntpdate pool.ntp.org