Novell LINUX ENTERPRISE SERVER 10 - INSTALLATION AND ADMINISTRATION 04-08-2006 Installation Manual page 859

To configure your Kerberos clients, add the following stanza to krb5.conf (where
kdc.example.com is the hostname of the KDC):
[libdefaults]
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
kdc = kdc.example.com
admin_server = kdc.example.com
}
The default_realm line sets the default realm for Kerberos applications. If you
have several realms, just add additional statements to the [realms] section.
Also add a statement to this file that tells applications how to map hostnames to a realm.
For example, when connecting to a remote host, the Kerberos library needs to know in
which realm this host is located. This must be configured in the [domain_realms]
section:
[domain_realm]
.example.com = EXAMPLE.COM
www.foobar.com = EXAMPLE.COM
This tells the library that all hosts in the example.com DNS domains are in the
EXAMPLE.COM Kerberos realm. In addition, one external host named www.foobar
.com should also be considered a member of the EXAMPLE.COM realm.
47.5.2 DNS-Based Configuration
DNS-based Kerberos configuration makes heavy use of SRV records. See (RFC2052)
A DNS RR for specifying the location of services at http://www.ietf.org.
These records are not supported in earlier implementations of the BIND name server.
At least BIND version 8 is required for this.
The name of an SRV record, as far as Kerberos is concerned, is always in the format
_service._proto.realm, where realm is the Kerberos realm. Domain names in
DNS are case insensitive, so case-sensitive Kerberos realms would break when using
this configuration method. _service is a service name (different names are used
when trying to contact the KDC or the password service, for example). _proto can
be either _udp or _tcp, but not all services support both protocols.
Installing and Administering Kerberos 859