Sam Stelfox

Thoughts from a software engineer, systems hacker and Linux gubernāre.


Kerberos is a network authentication system.


The servers require the following packages be installed:

It is very important that NTPdate is already configured and running on all of the client systems as well as the server. Kerberos is heavily dependant on synchronized clocks.

Master Configuration

Edit the configuration files (provided at the bottom).

Create the initial database for the realm, it will ask for a master password for the database. DO NOT FORGET THIS!!

kdb5_util create -s

Create an administrator user, it will ask for the password ensure that it is strong as this account will be able to create, delete, and see principal's keys.

kadmin.local -q "addprinc <<username>>/admin"

Set the services to startup automatically and start them up:

chkconfig krb5kdc on
chkconfig kadmin on
/etc/init.d/krb5kdc start
/etc/init.d/kadmin start

After the database has been started you'll need to create at least one normal user, it will ask for a password for the account.

[[email protected] ~]# kadmin -p <<username>>/admin
kadmin:  addprinc <<username>>


Please note these instructions are untested but they are believed to be correct.

First we'll need to create an ACL file for the replication utility kprop. It should live /var/Kerberos/krb5kdc/kpropd.acl and have the contents:

[email protected]
[email protected]

You'll need to create host keys for each of the kerberos servers if they haven't been created already.

[[email protected] ~]# kadmin -p <<username>>/admin
kadmin:  addprinc -rand host/
kadmin:  addprinc -rand host/

You'll need to add the keys to the local keytab file on the primary KDC.

[[email protected] ~]# kadmin -p <<username>>/admin
kadmin:  ktadd host/
kadmin:  ktadd host/

Copy the keytab file from the primary KDC to the secondary server using an encrypted transfer mechanism such as SCP.

[[email protected] ~]# scp /etc/krb5.keytab [email protected]:/etc/krb5.keytab

At this point you'll want to restart the master's service and then start up the kdc on the slave server:

[[email protected] ~]# chkconfig krb5kdc start
[[email protected] ~]# /etc/init.d/krb5kdc start

Once the Slave is setup you'll need to modify the /etc/krb5.conf on the client machines and the master machine to include the FQDN of the slave in the [realms] section for the appropriate domain. The [realms] section would then look like:

    kdc =
    kdc =
    admin_server =

Adding a New Host to the Domain

Hosts need krb5-workstation and krb5-libs installed. Make sure the client firewall rules have been applied.

Be sure to copy the config file /etc/krb5.conf mentioned on this page to each client machine.

[[email protected] ~]# kadmin -p <<username>>/admin
kadmin:  addprinc -randkey host/<<FQDN>>
kadmin:  ktadd -k /etc/krb5.keytab host/<<FQDN>>

You'll need to replace <> with the domain name of the host you're adding. It will need a DNS entry matching this hostname.

Firewall Configuration

Server Adjustments

# Allow authentication to the KDC
-A INPUT -m tcp -p tcp --dport 88 -j ACCEPT
# Allow remote kerberos administration. This should probably be restricted more
-A INPUT -m tcp -p tcp --dport 749 -j ACCEPT

Client Adjustments

# Allow authentication to the KDC
-A OUTPUT -m tcp -p tcp --dport 88 -j ACCEPT

Setting up a client machine to talk to the KDC will initially require this rule as well:

# Temporarily need this to setup the connection with the KDC
-A OUTPUT -m tcp -p tcp --dport 749 -j ACCEPT

Configuration Files


  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

  dns_lookup_realm = false
  dns_lookup_kdc = false
  ticket_lifetime = 24h
  renew_lifetime = 3d
  forwardable = true

    kdc =
    admin_server =



[email protected]  *


  kdc_ports = 88
  kdc_tcp_ports = 88

    master_key_type = aes256-cts
    acl_file = /var/kerberos/krb5kdc/kadm5.acl
    dict_file = /usr/share/dict/words
    admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
    supported_enctypes = aes256-cts:normal aes128-cts:normal 


Notes on Cached Client Login