>  | 3. forget about problems with time in kdc or named. (I'm not really
>  | serious here)
>
>A question for the kerberos gurus ...
>
>Does "kdc" need to start so early in the boot process?

FWIW, our KDC here (on a Solaris box) starts as the very last process (or
one of the very last).  

>What other services start at boot that might depend upon kdc ?
>nfsd ? sshd ? racoon ?
>Various other login servers (started after LOGIN) ?

Generally, daemon services don't have to talk to the KDC, so they don't
have an explicit dependency (racoon might be the exception).

>Is there any reason that we can't move kdc a bit later,
>to sometime between "SERVERS" and "DAEMON", and explicitly
>depending upon ntpdate?

I can't think of a reason why not.  I suspect that if the time was changed
out from under the KDC, it would simply adapt.

--Ken