Manually Configuring Kerberos Clients - Novell LINUX ENTERPRISE SERVER 10 SP2 - INSTALLATION AND ADMINISTRATION Installation Manual

Next, create another principal named newbie/admin by typing ank newbie/admin
at the kadmin prompt. The admin suffixed to your username is a role. Later, use this
role when administering the Kerberos database. A user can have several roles for dif-
ferent purposes. Roles are basically completely different accounts with similar names.
46.4.4 Starting the KDC
Start the KDC daemon and the kadmin daemon. To start the daemons manually, enter
rckrb5kdc start and rckadmind start. Also make sure that KDC and kad-
mind are started by default when the server machine is rebooted with the command
insserv krb5kdc and insserv kadmind.
46.5 Manually Configuring Kerberos
Clients
When configuring Kerberos, there are basically two approaches you can take—static
configuration in the /etc/krb5.conf file or dynamic configuration with DNS.
With DNS configuration, Kerberos applications try to locate the KDC services using
DNS records. With static configuration, add the hostnames of your KDC server to krb5
.conf (and update the file whenever you move the KDC or reconfigure your realm
in other ways).
DNS-based configuration is generally a lot more flexible and the amount of configuration
work per machine is a lot less. However, it requires that your realm name is either the
same as your DNS domain or a subdomain of it. Configuring Kerberos via DNS also
creates a minor security issue—an attacker can seriously disrupt your infrastructure
through your DNS (by shooting down the name server, spoofing DNS records, etc.).
However, this amounts to a denial of service at most. A similar scenario applies to the
static configuration case unless you enter IP addresses in krb5.conf instead of
hostnames.
854 Installation and Administration