In message <mtuacp3iko6.fsf@contents-vnder-pressvre.mit.edu>, "Nathan J. Williams" writes:
>Jason Thorpe <thorpej@shagadelic.org> writes:
>
>> kdc provides authentication, potentially for many other services
>> (which may or may not know they actually need Kerberos [c.f. PAM], so
>> can't really have an explicit dependency).  It is my opinion that
>> "kdc" should start as early as possible, and have a "BEFORE: ...",
>> probably SERVERS at this stage.
>
>That doesn't sound right. The KDC is principally providing a
>network-wide service. The other services in the world trying to use it
>have to cope with it not being there while the KDC's host is booting;
>other servers that run on the KDC machine (you run other services on
>the KDC machine?!?!?!?!) can cope just as well with that as with the
>temporary disappearance of a foriegn KDC.

The only network wide service I may run on the machine that provides
my KDC is time service.  Running anything else complicates securing
the machine.  Since it is the only service the machine is for, and
kerberos is something where having good time is important, having
it start after ntpd/ntpdate/whatever is a good thing, although it
should adjust.  Clients will not be able to use the KDC until they're
within 5 minutes of whatever time the KDC thinks it is, though.

Even at home, where I am less free with throwing machines into 
service for one thing only, my KDC runs on its own machine.

-Tracy