Configuring The Kdc - Novell LINUX ENTERPRISE SERVER 11 - SECURITY Manual

A different possibility to secure the time service and still use the NTP daemon is, to
attach a hardware reference clock to a dedicated NTP server as well as an additional
hardware reference clock to the KDC.
It is also possible to adjust the maximum deviation Kerberos allows when checking
time stamps. This value (called clock skew) can be set in the krb5.conf file as de-
scribed in

6.4.5 Configuring the KDC

This section covers the initial configuration and installation of the KDC, including the
creation of an administrative principal. This procedure is consists of several steps:
1 Install the RPMs
2 Adjust the Configuration Files
3 Create the Kerberos Database
4 Adjust the ACL Files: Add Administrators
5 Adjust the Kerberos Database: Add Administrators
92 Security Guide
Section "Adjusting the Clock Skew"
ware packages. Use YaST to install the krb5, krb5-server and
krb5-client packages.
and /var/lib/kerberos/krb5kdc/kdc.conf must be adjusted for your
scenario. These files contain all information on the KDC.
identifiers and the secret keys of all principals that need to be authenticated. Refer
to Section "Setting Up the Database"
KDC can be managed remotely. To prevent unauthorized principals from tamper-
ing with the database, Kerberos uses access control lists. You must explicitly
enable remote access for the administrator principal to enable him to manage the
database. The Kerberos ACL file is located under /var/lib/kerberos/
krb5kdc/kadm5.acl. Refer to
Administration" (page 100) for details.
administrative principal to run and administer Kerberos. This principal must be
added before starting the KDC. Refer to
for details.
(page 100).
On a machine designated as the KDC, install special soft-
The configuration files /etc/krb5.conf
Kerberos keeps a database of all principal
(page 93) for details.
Section 6.4.7, "Configuring Remote Kerberos
Section "Creating a Principal"
The Kerberos database on the
You need at least one
(page 94)