GALINA@IBM.COM ("Galina Kofman") (02/08/91)
***** Reply to your note of: Thu, 7 Feb 91 12:12:04 EST ****************** We at IBM recognize the necessity of time synchronization. We looking into possibility of implementing ntp or dtp. Galina Kofman.
OPSRJH@UCCVMA.UCOP.EDU (Richard Hintz) (02/09/91)
On Thu, 7 Feb 91 14:54:31 EST you said: >***** Reply to your note of: Thu, 7 Feb 91 12:12:04 EST ****************** >We at IBM recognize the necessity of time synchronization. >We looking into possibility of implementing ntp or dtp. I guess I understand from this reply is that it is technically not possible to use VM as a Kerberos authentication server for application clients and servers not residing on the same machine. It would seem that there would be formidable obstacles to implementing ntp or dtp on 3090 class mainframes (as anyone who has every initialized a 3090 system and set the TOD clock would probably corroborate). I hope that the solution doesn't require the IBM Sysplex Timer. At a list price of $32,000, it's expensive and doesn't even exploit the current network time sync technology (since it dials NIST instead of referring to the Stratum-1/2 etc. time referents). Richard Hintz opsrjh@uccvma.ucop.edu opsrjh@uccvma University of California
louie@SAYSHELL.UMD.EDU ("Louis A. Mamakos") (02/09/91)
Rather than synchronizing the clock on the IBM system, you can just provide the "correct" time to the Kerberos related entities on the system. Provide a service on the system that can supply "correct" time, and don't worry about correcting the system's clock. One possibility is to have a shared segment with the current offset between the system time and the correct time maintained by an NTP process. The offset is not likely to change very rapidly, and this might be a "cheap" way to supply correct time to cooperating applications. louie
smb@ulysses.att.com (02/09/91)
On Thu, 7 Feb 91 14:54:31 EST you said: >***** Reply to your note of: Thu, 7 Feb 91 12:12:04 EST ************* ***** >We at IBM recognize the necessity of time synchronization. >We looking into possibility of implementing ntp or dtp. I guess I understand from this reply is that it is technically not possible to use VM as a Kerberos authentication server for application clients and servers not residing on the same machine. I fear I'm sadly misunderstanding the problem. Kerberos does not require closely-synchronized clocks. As I recall the README files and installation manuals, the default clock skew is 5 minutes. Unless the drift is very bad -- not my (comparatively ancient) experience with IBM mainframes -- this shouldn't be a problem. (Assuming, of course, that whoever set the time didn't get the year wrong or some such...) Granted, NTP can't be used unless someone implements a robotic arm to flip the clock enable switch. But surely someone can set the time to within a few seconds of UTC without particular trauma. And, while that's not nearly good enough for distributed file systems, it's more than ample for current Kerberos implementations.
mischu@allegra.att.com (Michael Merritt) (02/09/91)
Please be careful about setting the time by any other than a secure mechanism. Doing otherwise exposes you to replay attacks. Michael Merritt