Start free trial
en
Language
  • en
  • cs
  • hu
  • de
  • fr
  • es
  • br
  • ru
  • kr
  • jp
AI translation
  • it
  • pl
  • tr
Easy8
Resources
Documentation
Administration
How to Install and Prepare Kerberos Server

How to Install and Prepare Kerberos Server

Introduction

This guide shows how to install and prepare a MIT Kerberos server. It includes steps to create a realm, configure the primary and secondary Key Distribution Centers (KDCs), and connect clients. This setup is used to enable Kerberos authentication for systems like Easy8.

Target Audience

  • Administrator

Prerequisites

Before starting, ensure you have:

  • A properly configured DNS server for your domain
  • NTP (Network Time Protocol) synchronized across all hosts
  • Debian-based or RedHat-based Linux systems
  • Root access for server configuration

How to Install and Configure Kerberos Server

Step 1: Install Kerberos Packages

sudo apt install krb5-kdc krb5-admin-server

Step 2: Create a New Realm

sudo krb5_newrealm

Step 3: Edit Realm Configuration (Optional)

sudo dpkg-reconfigure krb5-kdc

Step 4: Create Admin Principal


sudo kadmin.local
addprinc manager/admin

Step 5: Set ACL Permissions

Edit /etc/krb5kdc/kadm5.acl:

manager/admin@EASYPROJECT.COM        *

Step 6: Restart Admin Server

sudo systemctl restart krb5-admin-server.service

Step 7: Test Admin Login


kinit manager/admin
klist

Step 8: Configure Hosts and DNS SRV Records

Edit /etc/hosts:

192.168.0.1 kdc01.example.com kdc01

Configure DNS:


_kerberos._udp.EASYPROJECT.COM.     IN SRV 1 0 88  kdc01.easyproject.com.
_kerberos._tcp.EASYPROJECT.COM.     IN SRV 1 0 88  kdc01.easyproject.com.
_kerberos._udp.EASYPROJECT.COM.     IN SRV 10 0 88 kdc02.easyproject.com.
_kerberos._tcp.EASYPROJECT.COM.     IN SRV 10 0 88 kdc02.easyproject.com.
_kerberos-adm._tcp.EASYPROJECT.COM. IN SRV 1 0 749 kdc01.easyproject.com.
_kpasswd._udp.EASYPROJECT.COM.      IN SRV 1 0 464 kdc01.easyproject.com.

Configure a Secondary KDC (Optional)

  1. Install packages: 
    sudo apt install krb5-kdc krb5-admin-server
  2. Add host principal: 
    kadmin -q "addprinc -randkey host/kdc02.easyproject.com"
  3. Create and move keytab: 
    
kadmin -q "ktadd -norandkey -k keytab.kdc02 host/kdc02.easyproject.com"
sudo mv keytab.kdc02 /etc/krb5.keytab
  4. Update ACL on both KDCs: 
    
host/kdc01.easyproject.com@EASYPROJECT.COM
host/kdc02.easyproject.com@EASYPROJECT.COM
  5. Create database: 
    sudo kdb5_util -s create
  6. Start kpropd: 
    sudo kpropd -S
  7. On Primary KDC, push database: 
    
sudo kdb5_util dump /var/lib/krb5kdc/dump
sudo kprop -r EASYPROJECT.COM -f /var/lib/krb5kdc/dump kdc02.easyproject.com
  8. Create stash file: 
    sudo kdb5_util stash
  9. Start Secondary KDC: 
    sudo systemctl start krb5-kdc.service

Use Active Directory as Kerberos Server

  1. Create AD user (e.g., easysso).
  2. Generate keytab on AD: 
    
ktpass -princ HTTP/www.easyproject.com@EASYPROJECT.COM -mapuser easysso@EASYPROJECT.COM -pass SECRET -crypto ALL -ptype KRB5_NT_PRINCIPAL -out C:\Temp\http.keytab
  3. Set SPN: 
    setspn -s HTTP/www.easyproject.com easysso

Set Up a Linux Kerberos Client

  1. Install packages: 
    
sudo apt install krb5-user libpam-krb5 libpam-ccreds auth-client-config
  2. Configure realm: 
    sudo dpkg-reconfigure krb5-config
  3. Adjust PAM for UID > 5000: 
    
for i in common-auth common-session common-account common-password; do
  sudo sed -i -r -e 's/pam_krb5.so minimum_uid=1000/pam_krb5.so minimum_uid=5000/' /etc/pam.d/$i
done
  4. Test with kinit: 
    
kinit manager@EASYPROJECT.COM
klist
  5. Enable ticket retrieval at login: 
    sudo auth-client-config -a -p kerberos_example

Conclusion

You have successfully installed and configured a Kerberos server, with optional secondary KDC, Active Directory integration, and client setup. This configuration enables secure user authentication across your network.

Related Topics and Further Reading

Try Easy8 in 30 days free trial

Access all features, SSL protected, no credit card required.