Time synchronization between the Kerberos Key Distribution Center (KDC) and your Lion Server clients is critical. Time skew, or the difference in time between the KDC and clients requesting Kerberos tickets, can be no more than five minutes. Time zones and daylight saving time aren’t considered in factoring the time skew as long as the relative time between systems is the same.

In other words, if you have a client in Pacific time and a KDC in Eastern time, they both need to be set correctly for their respective time zones. Manually changing the time to match the local time but not changing the time zone causes a time difference of several hours — much more than five minutes. Open Directory compares time based on Universal Decimal Time (UDT).

It’s best to set your Mac OS X Server and client systems to use a time synchronization server running the network time protocol (NTP) to avoid problems with Kerberos and single sign-on for users. The Server Assistant configured this during initial setup, but you can change it. Apple provides several publicly accessible NTP servers via the Internet, or you can run your own time server in Lion Server on a local network.

A public Internet connection isn’t required, but public NTP servers often connect to trusted sources of accurate time data, such as an atomic clock. If you don’t use a public server, manually adjust the time of your private time server in the Date & Time pane of System Preferences.

Enabling time server synchronization

You can use either System Preferences or Server Admin to add or change the NTP server to automatically have the system adjust the clock. These steps set a time server on both Mac OS X clients and Mac OS X Server. Here’s the procedure for System Preferences:

  1. Choose Apple menu→System Preferences and then click the Date & Time icon.

  2. Under the Date & Time tab, select the Set Date & Time Automatically check box.

  3. From the pop-up menu to the right of the check box, choose an Apple public time server or enter another time server in this field.

    If you’re not using Apple’s time servers, enter the hostname or IP address of another time server or a private time server on your local network.

  4. Quit System Preferences when you’re done.

Server Admin has essentially the same Date & Time pane as System Preferences. Select your server in the left column, click the Settings icon in the toolbar, and click the Date & Time tab.

Running network time protocol in Mac OS X Server

Many servers can run the NTP service, including Mac OS X Server. If your server has Internet access, and you want to trust another NTP server for time updates, set the date and time on your NTP server and then follow these steps to start the network time protocol:

  1. Open Server Admin and connect to the server.

  2. Click the server’s name in the left column, click the Settings icon, and then click the General tab.

  3. Select the Network Time Server (NTP) check box and then click Save.

  4. Follow the steps in the previous section, using your NTP server’s hostname or IP address as the time server in the Date & Time pane in System Preferences or in Server Admin.

If the time difference is greater than five minutes, Kerberos tickets can’t be generated, and single sign-on fails for users.

After you properly configure and verify DNS records and hostnames for your server and set up time synchronization, proceeding with the Open Directory master configuration is a straightforward endeavor with either Server Preferences or Server Admin and its Open Directory Assistant.