Novell LINUX ENTERPRISE SERVER 10 - INSTALLATION AND ADMINISTRATION 04-08-2006 Installation Manual page 860

The data portion of SRV resource records consists of a priority value, a weight, a port
number, and a hostname. The priority defines the order in which hosts should be tried
(lower values indicate a higher priority). The weight is there to support some sort of
load balancing among servers of equal priority. You probably do not need any of this,
so it is okay to set these to zero.
MIT Kerberos currently looks up the following names when looking for services:
_kerberos
This defines the location of the KDC daemon (the authentication and ticket granting
server). Typical records look like this:
_kerberos._udp.EXAMPLE.COM.
_kerberos._tcp.EXAMPLE.COM.
_kerberos-adm
This describes the location of the remote administration service. Typical records
look like this:
_kerberos-adm._tcp.EXAMPLE.COM. IN
Because kadmind does not support UDP, there should be no _udp record.
As with the static configuration file, there is a mechanism to inform clients that a spe-
cific host is in the EXAMPLE.COM realm, even if it is not part of the example.com
DNS domain. This can be done by attaching a TXT record to _keberos.hostname,
as shown here:
_keberos.www.foobar.com.
47.5.3 Adjusting the Clock Skew
The clock skew is the tolerance for accepting tickets with time stamps that do not exactly
match the host's system clock. Usually, the clock skew is set to 300 seconds (five min-
utes). This means a ticket can have a time stamp somewhere between five minutes ago
and five minutes in the future from the server's point of view.
When using NTP to synchronize all hosts, you can reduce this value to about one minute.
The clock skew value can be set in /etc/krb5.conf like this:
[libdefaults]
860 Installation and Administration
IN TXT "EXAMPLE.COM"
clockskew = 120
IN SRV 0 0 88 kdc.example.com.
IN SRV 0 0 88 kdc.example.com.
SRV 0 0 749 kdc.example.com.