Kerberos KDC (key distribution center)

Kerberos Server Configuration


  1. Slackware - install my kerberos package
  2. Follow these directions 1):
    1. Edit /etc/krb5.conf
      • Replace EXAMPLE.COM with your realm
      • Replace with your domain
    2. Edit /var/kerberos/krd5kdc/kdc.conf
      • Replace EXAMPLE.COM with your realm
      • If you're using the kdc.conf that came with Red Hat, you'll want to change the following two lines. Otherwise you'll have problems when storing keys in keytabs, etc. These are the values from a stock MIT kdc.conf. See the bug I filed with Red Hat about this.
        • master_key_type = des3-hmac-sha1
        • supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
    3. Run /usr/kerberos/sbin/kdb5_util create -s
      • Creates the Kerberos database
      • The password requested here is the key to securing your Kerberos database, and you'll almost never need to enter it again, so make it something huge and ugly and store it somewhere secure.
    4. Edit /var/kerberos/krb5kdc/kadm5.acl
      • See kadmind man page for details of syntax
      • To start with, the following entry will do. It gives anyone with a /admin principal full access.
        */admin@EXAMPLE.COM     *
    5. Run /usr/kerberos/sbin/kadmin.local -q “addprinc username/admin”
      • Where username is your username (your account doesn't have to exist yet)
      • kadmin.local is a special version of kadmin that bypasses the ACLs for root on the same host as kadmind
    6. Configure kadmind (primary only) and krb5kdc (all KDCs) to be started at boot time
      • For Red Hat do the following:
        • chkconfig kadmin on
        • chkconfig krb5kdc on
        • /etc/init.d/kadmin start
        • /etc/init.d/krb5kdc start
    7. Red Hat's kadmin init script does this automatically, but on other systems you'll need to create a keytab for kadmind with a couple of principals: /usr/kerberos/sbin/kadmin.local -q “ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin kadmin/changepw” See the kadmind man page for more details. Thanks to Joshua Schmidlkofer for pointing this out.
    8. Create additional username and username/admin principals as necessary using kadmin


  • on fedora, for pam, use
    authconfig --enablekrb5 --update

    to enable krb


Run kinit username where username is a principal you've already created. Then run klist - you should now have a kerberos ticket cached.


linux/server/kerberos_kdc.txt · Last modified: 2011/02/21 00:10 by john
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 3.0 Unported
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki