The actual verification of a client's identity is done by validating an
authenticator. The authenticator contains the client's identity and a
timestamp.

To insure that the authenticator is up-to-date and is not an old one that
has been captured by an attacker, the timestamp in the authenticator is
checked against the current time. If the timestamp is not close enough to
the current time (typically within five minutes) then the authenticator is
rejected as invalid. Thus, Kerberos requires your system clocks to be
loosely synchronized (the default is 5 minutes, but it can be adjusted in
Version 5 to be whatever you want).

The paper:

   * Don Davis, Daniel Geer, and Theodore Ts'o, "Kerberos With Clocks
     Adrift: History, Protocols, and Implementation"
     <http://world.std.com/~dtd/synch/synch.ps>

explains a way for Kerberos principals to securely determine the time
without having to rely on a external time source. This is implemented for
clients only in the Kerberos 5 release. With this in place, clients do not
need to synchronize their system clocks to use Kerberos; however,
application servers need to.

Note that it is possible to use the above technique for application servers
as well as clients; it is just not currently implemented that way.