Kerberos KDC Quickstart Guide

This document describes the steps to configure and run a kerberos KDC server. The document was created during the NFSv4 Test Day held on 2010-02-04 to help participants who chose to create their own KDC server.


 * 1) Install the, , and  if have not done so.
 * yum -y install krb5-libs krb5-server krb5-workstation
 * 1) Edit the /etc/krb5.conf and /var/kerberos/krb5kdc/kdc.conf configuration files to reflect the realm name and domain-to-realm mappings. For example, for domain .redhat.com.
 * [logging]
 * default = FILE:/var/log/krb5libs.log
 * kdc = FILE:/var/log/krb5kdc.log
 * admin_server = FILE:/var/log/kadmind.log
 * [libdefaults]
 * default_realm = REDHAT.COM
 * dns_lookup_realm = false
 * dns_lookup_kdc = false
 * ticket_lifetime = 24h
 * renew_lifetime = 7d
 * forwardable = yes
 * [realms]
 * REDHAT.COM = {
 * kdc = :88
 * admin_server = :749
 * }
 * [domain_realm]
 * .redhat.com = REDHAT.COM
 * redhat.com = REDHAT.COM
 * 1) Create the database using the kdb5_util utility from a shell prompt:
 * /usr/kerberos/sbin/kdb5_util create -s
 * 1) Configure the KDC server to sync time using NTP to sync the clock for later kerberos communications.
 * service ntpd restart
 * 1) Edit the /var/kerberos/krb5kdc/kadm5.acl file to have only this line.
 * */admin *
 * 1) Type the following kadmin.local command at the KDC terminal to create the first principal:
 * /usr/kerberos/sbin/kadmin.local -q "addprinc root/admin"
 * 1) Modify the firewall rule to allow kerberos communications, or disable the firewall temporarily.
 * iptables -F
 * ip6tables -F
 * 1) Start Kerberos using the following commands:
 * /sbin/service krb5kdc start
 * /sbin/service kadmin start
 * 1) Type the following kadmin.local command at the KDC terminal to create the first principal:
 * /usr/kerberos/sbin/kadmin.local -q "addprinc root/admin"
 * 1) Modify the firewall rule to allow kerberos communications, or disable the firewall temporarily.
 * iptables -F
 * ip6tables -F
 * 1) Start Kerberos using the following commands:
 * /sbin/service krb5kdc start
 * /sbin/service kadmin start
 * /sbin/service krb5kdc start
 * /sbin/service kadmin start
 * /sbin/service kadmin start