Kerberos Clock Skew Helper

We’ve all been there! kerberos suddenly breaks because our time is off from the Domain Controller.
That annoying clock skew (KRB_AP_ERR_SKEW) error, and breaks our command.

Instead of constantly syncing the system clock or copy‑pasting offsets, I wrote a small helper script that handles the DC time for any command I run.

No more fussing with ntpdate or messing with system time, the script just works

Why I Needed This

In AD labs and real environments:

  • My Kali VM is often tulala/sabog xD (out of sync)
  • tools fail with clock skew errors
  • fixing system time/copy pasting a one-liner command repeatedly is annoying

The usual workflow is tedious:

1
2
ntpdate -q <dc_ip>
faketime "<copy the offset>" <command>

Or the one liner thing I always copy from notes:

1
faketime "$(ntpdate -q <dc_ip> | cut -d ' ' -f 1,2)" <command>

Still too much copy‑paste :/ .

The Script

I wrote a tiny bash wrapper called clockskew:

  • Queries the DC time automatically.
  • Applies faketime with the correct offset.
  • Runs any command you pass in.

Now, instead of the messy manual way, I just do:

1
clockskew <dc_ip> bloodhound-python -u <user> -p <password> -d <domain> -ns <ip> -c all

Just save the script at:

/usr/bin/clockskew
or
/usr/local/bin/clockskew

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
#!/usr/bin/bash

if [ $# -lt 2 ]; then
    echo "Usage: clockskew <host> <command...>"
    exit 1
fi

HOST="$1"
shift

SKEW=$(ntpdate -q "$HOST" 2>/dev/null | awk '{print $1, $2}')

if [ -z "$SKEW" ]; then
    echo "[-] Failed to get time from $HOST"
    exit 1
fi

echo "[+] Using faketime: $SKEW"
faketime "$SKEW" "$@"

TL;DR

  • Kerberos hates clock skew.
  • clockskew script saves your sanity.
  • Run commands with DC time, leave your VM clock alone.