321
CHAPTER 13
Configuring Kerberos and NTP
on Ubuntu Server
Using an Alternative Method
to Handle Authentication
T
he preceding two chapters explained how to use a public key infrastructure (PKI) to
secure services. A PKI protects network traffic very well and can also be used for authen-
tication. Kerberos was developed purely as an authentication service and not to protect
network traffic. Kerberos has become an increasingly popular choice for authentica-
tion, particularly because Microsoft uses it in Active Directory environments, including
in Linux implementations of Active Directory. In this chapter, you’ll read how to set up
Kerberos version 5 on Ubuntu Server. Because Kerberos heavily depends on proper time
synchronization, I’ll first explain how to set up an NTP time server.
Configuring an NTP Time Server
To use Kerberos for authentication, the nodes involved must agree on the time that is
used. If there is too much time difference between the Kerberos server and the Kerberos
client, authentication will be refused. Therefore, it is a good idea to set up an NTP time
server first. Once you have done that, you need to choose between the two Kerberos ver-
sions that are available: MIT Kerberos, which is the original Kerberos that was developed
by the Massachusetts Institute of Technology, and Heimdal Kerberos, which was meant
to be an improvement on MIT Kerberos but has never become very popular on Linux.
For that reason, this chapter covers how to set up MIT Kerberos, version 5 in particular,
which is the current version. Version 4 has some major security problems, so you should
not use that version; use version 5 only.
CHAPTER 13
N
CONFIGURING KERBEROS AND NTP ON UBUNTU SERVER
322
For many networked applications (Heartbeat clustering, for example, introduced in

figuration file, in which you’ll find the
QP?9
setting. To use UTC on your server, make sure
its value is set to
uao
; if you don’t want to use UTC, set it to
QP?9jk
. The latter choice is rea-
sonable only in an environment in which all servers are in the same local time zone.
The local time zone setting is maintained in the
+ap_+hk_]hpeia
binary file, which
is created upon installation and contains information about your local time zone. To
change it afterward, you need to create a link to the configuration file that contains infor-
mation on your local time zone. You can find these configuration files in
+qon+od]na+
CHAPTER 13
N
CONFIGURING KERBEROS AND NTP ON UBUNTU SERVER
323
vkjaejbk
. Next, link the appropriate file to the
+ap_+hk_]hpeia
file. For example,
oq`khj
)ob+qon+od]na+vkjaejbk+IAP+ap_+hk_]hpeia
changes your local time zone setting to
Middle European Time (MET).
If, on the other hand, a reference clock is used, a server does not get its time from
a server on the Internet but instead determines its own time. Again, the default stratum

complex. Basically, you just need three lines to create an NTP time server, as shown in
Listing 13-1.
Listing 13-1. Example ntp.conf Configuration
oanran-.3*-.3*-*,
bq`ca-.3*-.3*-*,opn]pqi-,
oanranjpl*ukqnlnkre`an*okiasdana
The first line in Listing 13-1 specifies what server the NTP daemon should use if
the connection with the NTP time server is lost for a long period of time (specified
in advanced settings); this line makes sure that the local clock in your server will not
drift too much, by making a reference to a local clock. Every type of local clock has its
own IP address from the range of loopback IP addresses. The format of this address is
-.3*-.3*8p:*8e:
, where the third byte refers to the type of local clock that is used and the
fourth byte refers to the instance of the clock your server is connected to. The default
address to use to refer to the local computer clock is
-.3*-.3*-*,
. Notice that all clocks
CHAPTER 13
N
CONFIGURING KERBEROS AND NTP ON UBUNTU SERVER
324
that can be used as an external reference clock connected locally to your server have their
own IP address. The documentation for your clock tells you what address to use.
N
Tip
Even if your server is connected to an NTP server that’s directly on the Internet, it makes sense to use
at least one local external reference clock on your network as well, to ensure that time synchronization con-
tinues if the Internet connection fails for a long period of time.
The second line in Listing 13-1 defines what should happen if the server falls back to
the local external reference clock specified in the first line. This line starts with the key-

setting determines how often a client should try to synchronize its time
if time is not properly synchronized, and the
i]tlkhh
value indicates how often synchro-
nization should occur if time is properly synchronized. The values for the
iejlkhh
and
i]tlkhh
parameters are kind of weird logarithmically: they refer to the power of 2 that
CHAPTER 13
N
CONFIGURING KERBEROS AND NTP ON UBUNTU SERVER
325
should be used. Therefore,
iejlkhh0
is actually 2
4
(which equals 16 seconds), and the
default value of 1,024 seconds can be noted as
iejlkhh-,
(2
10
). Any value between 4 and
17, inclusive, can be used.
If you are configuring an NTP node as a server, you can use the broadcast mechanism
as well. This makes sense if your server is used as the NTP time server for local computers
that are on the same network (because broadcast packets are not forwarded by routers).
If you want to do this, make sure the line
^nk]`_]op-5.*-24*,*.11
(use the broadcast

Too often,
jpl`]pa
is used only for troubleshooting purposes, after the administrator finds out
that
jpl`
isn’t synchronizing properly. In this case, the administrator is likely to see a “socket already in
use” error message. This happens because
jpl`
has already claimed port 123 for NTP time synchroniza-
tion. You can verify this with the
japop]p)lh]pqjaxcnal-./
command, which displays the application
currently using port 123. Before
jpl`]pa
can be used successfully in this scenario, the administrator should
make sure that
jpl`
is shut down on the client by using
+ap_+ejep*`+jplopkl
.
CHAPTER 13
N
CONFIGURING KERBEROS AND NTP ON UBUNTU SERVER
326
If the time difference between server and client is not greater than 1,000 seconds,
jpl*_kjb
can be configured on the NTP client. A typical NTP client configuration is very
simple—you just need to specify the server you want to get the time from, as in the fol-
lowing example:
oanran-5.*-24*,*-,

command, which offers its own
interactive interface from which the status of any NTP service can be requested. As
when using the FTP client, you can use a couple of commands to “remotely control”
the NTP server. In this interface, you can use the
dahl
command to see a list of available
commands.
As an alternative, you can run
jplm
with some command- line options. For example,
the
jplm)l
command gives an overview of current synchronization status. Listing 13-3
provides an example of the result, in which several parameters are displayed:
s
naikpa
: The name of the other server
s
nabe`
: The IP address of the server you are synchronizing with
s
op
: The stratum used by the other server
s
p
: The type of clock used on the other server (
H
stands for local clock;
q
for an Inter-

Thus far, I have explained the basic NTP time configuration, but you can also fine- tune
the configuration to guarantee a higher degree of precision. There are several files that
you can use for this purpose. First are the files that are created automatically by the
NTP daemon. Next, there are some security settings in
jpl*_kjb
that you can use to limit
which servers are allowed to get time from your server. In this section, you’ll read about
fine- tuning the NTP drift file and NTP log file and applying NTP security.
Configuring the NTP Drift File
No matter how secure the local clock on your computer is, it’s always going to be slightly
off: either too fast or too slow. For example, a clock might lag behind NTP time by 2 sec-
onds every hour. This difference is referred to as the clock’s drift factor, and it’s calculated
by comparing the local clock with the clock on the server that provides NTP time to the
local machine. Because NTP is designed also to synchronize time when the connection to
the NTP time server is lost, the NTP process on your local computer must know what this
drift factor is. So, to calculate the right setting for the drift factor, it’s very important that
an accurate time is being used on the server with which you are synchronizing.
Once NTP time synchronization has been established, a drift file is created automati-
cally. On Ubuntu Server, this file is created in
+r]n+he^+jpl+jpl*`nebp
, and the local NTP
process uses it to calculate the exact drifting of your local clock, which thus allows it to
CHAPTER 13
N
CONFIGURING KERBEROS AND NTP ON UBUNTU SERVER
328
compensate for the drift. Because the drift file is created automatically, you don’t need to
worry about it. However, you can choose where the file is created by using the
`nebpbeha


idea, add some lines to
jpl*_kjb
, as shown in Listing 13-4.
Listing 13-4. Applying Security Restrictions to Your NTP Time Server
naopne_p`ab]qhpjkmqanujkpnqopjkik`ebu
naopne_p-.3*,*,*-
naopne_p-5.*-24*,*,i]og.11*.11*.11*,