Novell LINUX ENTERPRISE SERVER 11 - SECURITY Manual page 112

static configuration case unless you enter IP addresses in krb5.conf instead of
hostnames.
Static Configuration
One way to configure Kerberos is to edit the configuration file /etc/krb5.conf.
The file installed by default contains various sample entries. Erase all of these entries
before starting. krb5.conf is made up of several sections, each introduced by the
section name included in brackets like [this].
To configure your Kerberos clients, add the following stanza to krb5.conf (where
kdc.example.com is the hostname of the KDC):
[libdefaults]
[realms]
The default_realm line sets the default realm for Kerberos applications. If you
have several realms, just add additional statements to the [realms] section.
Also add a statement to this file that tells applications how to map hostnames to a realm.
For example, when connecting to a remote host, the Kerberos library needs to know in
which realm this host is located. This must be configured in the [domain_realms]
section:
[domain_realm]
This tells the library that all hosts in the example.com DNS domains are in the
EXAMPLE.COM Kerberos realm. In addition, one external host named www.foobar
.com should also be considered a member of the EXAMPLE.COM realm.
DNS-Based Configuration
DNS-based Kerberos configuration makes heavy use of SRV records. See (RFC2052)
A DNS RR for specifying the location of services at http://www.ietf.org. These
98 Security Guide
default_realm = EXAMPLE.COM
EXAMPLE.COM = {
kdc = kdc.example.com
admin_server = kdc.example.com
}
.example.com = EXAMPLE.COM
www.foobar.com = EXAMPLE.COM