Novell LINUX ENTERPRISE SERVER 11 - SECURITY Manual page 114

Adjusting the Clock Skew
The clock skew is the tolerance for accepting tickets with time stamps that do not exactly
match the host's system clock. Usually, the clock skew is set to 300 seconds (five min-
utes). This means a ticket can have a time stamp somewhere between five minutes ago
and five minutes in the future from the server's point of view.
When using NTP to synchronize all hosts, you can reduce this value to about one minute.
The clock skew value can be set in /etc/krb5.conf like this:
[libdefaults]
clockskew = 120
6.4.7 Configuring Remote Kerberos
Administration
To be able to add and remove principals from the Kerberos database without accessing
the KDC's console directly, tell the Kerberos administration server which principals
are allowed to do what. Do this by editing the file /var/lib/kerberos/krb5kdc/
kadm5.acl. The ACL (access control list) file allows you to specify privileges with
a fine degree of control. For details, refer to the manual page with man 8 kadmind.
Right now, just grant yourself the privilege to do anything you want with the database
by putting the following line into the file:
newbie/admin *
Replace the username newbie with your own. Restart kadmind for the change to take
effect.
You should now be able to perform Kerberos administration tasks remotely using the
kadmin tool. First, obtain a ticket for your admin role and use that ticket when connecting
to the kadmin server:
kadmin -p newbie/admin
Authenticating as principal newbie/admin@EXAMPLE.COM with password.
Password for newbie/admin@EXAMPLE.COM:
kadmin: getprivs
current privileges: GET ADD MODIFY DELETE
kadmin:
100 Security Guide