Red Hat Enterprise Linux 5 Administration Unleashed

Enabling Kerberos 279Configuring the Kerberos ServerBefore setting up a Kerberos server or client, the clock on the server and all the clientsmust be in sync. If the clock between the server and client are too far apart (5 minutes bydefault), the credentials are ignored and the client is not authenticated. It is recommendedthat administrators use the Network Time Protocol (NTP) on the server and clientsto keep the clocks in sync. Refer to Chapter 19, “Explaining Other Common NetworkServices,” for details on configuring NTP.12Customizing the Kerberos Configuration FilesOn the system you are setting up as a Kerberos server, install the krb5-server and krb5-workstation RPM packages. The /etc/krb5.conf file is the main configuration file for theserver. This file is formatted using the following style:[section]tag=valuetag=valuetag=valueThe following sections exist:. [libdefaults]: Default values for Kerberos.. [login]: Default values for the Kerberos login program.. [appdefaults]: Default values for applications that use Kerberos.. [realms]: Define the server location of each Kerberos realm.. [domain_realm]: Associates subdomains and domain names to Kerberos realmnames. Required if domain names are not used as realm names.. [logging]: Logging preferences. Refer to “Logging Kerberos Connections” fordetails.. [cpaths]: Paths to authentication certificates, if used.At a bare minimum, replace all the example.com domain references and EXAMPLE.COMrealm references in the existing /etc/krb5.conf file with your domain. The file is casesensitiveso be sure to preserve the upper- or lowercase.Also configure the realm and other settings for the KDC in /var/kerberos/krb5kdc/kdc.conf. The following sections can be defined:. [kdcdefaults]: Default values for the KDC.. [realms]: Define the server locations for each Kerberos realm.At a bare minimum, replace EXAMPLE.COM with your realm name in the existingkdc.conf, which is usually a domain name, in all uppercase letters.