If you're using the kdc.conf that came with Red Hat, you'll want to change the following two lines. Otherwise you'll have problems when storing keys in keytabs, etc. These are the values from a stock MIT kdc.conf. See the bug I filed with Red Hat about this.
The password requested here is the key to securing your Kerberos database, and you'll almost never need to enter it again, so make it something huge and ugly and store it somewhere secure.
Edit /var/kerberos/krb5kdc/kadm5.acl
See kadmind man page for details of syntax
To start with, the following entry will do. It gives anyone with a /admin principal full access.
*/admin@EXAMPLE.COM *
Run /usr/kerberos/sbin/kadmin.local -q “addprinc username/admin”
Where username is your username (your account doesn't have to exist yet)
kadmin.local is a special version of kadmin that bypasses the ACLs for root on the same host as kadmind
Configure kadmind (primary only) and krb5kdc (all KDCs) to be started at boot time
For Red Hat do the following:
chkconfig kadmin on
chkconfig krb5kdc on
/etc/init.d/kadmin start
/etc/init.d/krb5kdc start
Red Hat's kadmin init script does this automatically, but on other systems you'll need to create a keytab for kadmind with a couple of principals: /usr/kerberos/sbin/kadmin.local -q “ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin kadmin/changepw” See the kadmind man page for more details. Thanks to Joshua Schmidlkofer for pointing this out.
Create additional username and username/admin principals as necessary using kadmin
troubleshooting
on fedora, for pam, use
authconfig --enablekrb5 --update
to enable krb
Testing
Run kinit username where username is a principal you've already created. Then run klist - you should now have a kerberos ticket cached.