Question: Do the clocks have to be in sync and how does this affect logins.
Answer: The only time users will have problems authenticating is if the time on the client machine drifts more than 5 minutes from the time on the server machine.
Users who are currently logged in will remain logged in, but will no longer be able to authenticate to new services using their kerberos credentials. New users will not be able to log in until the clocks are synchronized between the client and the server. This is used to prevent replay attacks.
The adjoin command will perform this syncing and keeping both clocks in sync. However if you do not want our program to do that you can use the -t option for adjoin and for our adclient daemon will disable this by editing the /etc/init.d/centrifydc startup script and adding the option -t -1 to the adclient line. The " -t or --notime " is used to indicate that you do not want to update the local computer time. Under normal circumstances, the local computer time should be updated to be synchronized with the Kerberos Key Distribution Center (KDC) in Active Directory. If you use this option, some ticket authentications may fail.