Kerberos Authorization Directory

Configure DNS

Although the SRV records are not mandatory, a properly configured server makes much easier the configuration.

Let assume the we own the domain organization.com, and the KDC is located at a server named kad. The SRV records should be (BIND config)

_ldap._tcp                    SRV     10 1 389 kad

_kerberos._udp                SRV     10 1 88 kad
_kerberos._tcp                SRV     10 1 88 kad
_kpasswd._udp                 SRV     10 1 464 kad

If we want to use this KDC and realm for any other DNS domain, we can use a simple TXT record to allow local clients to get proper values, again avoiding the manual edition of the domain_realm section of krb5.conf.

_kerberos                     TXT    "ORGANIZATION.COM"

Time syncronization

Timestamping is one of the criteria used to check validity of Kerberos tickets, so a certain degree of syncronization is required (less than a few minutes). If any message about clock skew appear, that means that the clock differences are higher than required.