Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.427 (Entity 5.427)
Subject: kinit to AD server should be more tolerant of clock skew
X-RT-Original-Encoding: iso-8859-1
Content-Length: 608

Since the introduction of the get_init_creds interfaces, we have been 
including a start time in all initial ticket requests, not just ones where 
the caller asked for a specific start time.  The start time is ignored by 
MIT and Heimdal KDCs for non-postdated requests, but AD will reply with an 
error if the requested start time is in the future relative to the KDC, 
defeating the kdc_timesync option in one direction.

This change in the gic behavior also disabled the client check for too 
much clock skew in the KDC reply, since that check only operates if the 
start time was omitted in the request.