Centralized Authentication with Kerberos 5, Part I

Kerberos can solve your account administration woes.

This tells you if you need to use special configure options for your site. /usr/local/ is the default installation directory. If you need this software in another directory, use a --prefix=/new/path/to/directory flag in the next step.

5) In almost all cases, the default should be fine:

% ./configure

6) Compile the package with:

% make

I had a problem with one file in the krb5-1.3.4/src/kadmin/testing/util directory, which can be safely ignored. Restart the compilation with % make -i in this case.

7) Check whether everything compiled correctly with:

% make check

8) If everything looks okay, install the package with:

% sudo make install

Never compile code as root. Use root privileges only when necessary, as in these installation steps.

9) You now have MIT Krb5 installed in /usr/local/. Some additional directories need to be created by hand and their permissions set:

% sudo mkdir -p /usr/local/var/krb5kdc
% sudo chown root /usr/local/var/krb5kdc
% sudo chmod 700 /usr/local/var/krb5kdc

If you really need or want to compile your own PAM module, here are the steps to get a working version of the module shipped by Red Hat. Get the source (see Resources) and upack it with:

% tar zxf pam_krb5-1.3-rc7.tar.gz

% cd pam_krb5-1.3-rc7

Your $PATH environment variable has to have the Kerberos distribution of your choice first, in case you have more than one distribution on your computer. For example:

% PATH=/usr/local/bin:$PATH

if you have installed your own version in /usr/local. Then execute:

% ./configure

Then compile and install the package with:

% make
% sudo make install

Creating Your Realm

A Kerberos realm is an administrative domain that has its own Kerberos database. Each Kerberos realm has its own set of Kerberos servers. The name of your realm can be anything, but it should reflect your place in the DNS world. If the new Kerberos realm is for your entire DNS domain example.com, you should give the same name (with all capital letters, this is a Kerberos convention) to your Kerberos realm: EXAMPLE.COM. Or, if your are setting up a new realm for your engineering department in example.com, a realm name of ENG.EXAMPLE.COM could be chosen.

The first step for creating your own realm is to create a /etc/krb5.conf file that contains all the necessary information about this realm. The krb5.conf file needs to be on every computer that wants access to your new Kerberos realm. Here is an example file for the realm EXAMPLE.COM with the KDC and administration servers running on machine kdc.example.com:

    # determines your default realm name
    default_realm = EXAMPLE.COM

        # specifies where the servers are and on
        # which ports they listen (88 and 749 are
        # the standard ports)
        kdc = kdc.example.com:88
        admin_server = kdc.example.com:749

    # maps your DNS domain name to your Kerberos
    # realm name
    .example.com = EXAMPLE.COM

    # determines where each service should write its
    # logging info
    admin_server = SYSLOG:INFO:DAEMON
    default = SYSLOG:INFO:DAEMON

The next file, /usr/local/var/krb5kdc/kdc.conf, configures the KDC server. It needs to be on only the computer running the KDC dæmon. Every entry has a reasonable default. Creating an empty file should be sufficient for most cases:

% sudo touch /usr/local/var/krb5kdc/kdc.conf

The following commands need to be executed on the computer that will become your KDC. The command:

% sudo /usr/local/sbin/kdb5_util create -s



Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

SSO not working

satish patel's picture

I have read document and implement it but my SSH not working for SSO like one time auth its asking me passwd again and again any solution ?

/etc/hosts file

Joe_Hill's picture

Excellent guide.

Here's a tip that might save knuckleheads like me a few hours of stumbling around: None of this works if you don't have /etc/hosts set up properly. I kept getting this error:

kadmin: Cannot contact any KDC for requested realm while initializing kadmin interface

/etc/hosts MUST contain a line associating the KDC server not with a loopback address (WRONG: " kdc.example.com") but with a real IP address available over the network (RIGHT: " kdc.example.com"). Ports 88 and 749 must be unfirewalled.

(Since I'm currently out of town and can't fiddle with my router, I'm temporarily assigning KDC to the local address assigned by the router (, although of course this means I can't access Kerberos over the Internet).

/etc/passwd & /etc/shadow account syncronisation

Aaron Tate's picture

The second requirement is harder to meet. All account names, UIDs and GIDs have to be the same on all your
computers. This is necessary because each of these accounts becomes a new and independent Kerberos account,
called a principal. You have to go through all your local /etc/passwd files and check whether this requirement is
met. If not, you need to consolidate your accounts. If you want to add Windows or Mac OS X clients to your
Kerberos installation, you need to look at all the accounts on those machines as well.

I assume this only applies to user accounts (ie uid > 1k), it would be an utter pain to have to synchronise system accounts across multiple machines.

Format or /etc/krb5.conf

Joe Knall's picture

Running "kdb5_util create -s" gave me the error "Improper format of Kerberos configuration file while initializing Kerberos code" with the example krb5.conf in the article.
Removing all leading whitespace from krb5.conf did the trick.
Thank you btw


shann's picture


I have read this article. I was wondering is there any second part(s) / continuation of this tutorial? if yes can you provide those tutorial links?

please note my eramil id : massoo@gmail.com , massoo@30gigs.com


pam-krb5 and gksudo

Jared's picture

I've been following the directions in this article and the the subsequent articles about centralized authentication and I was delighted to get my kerberos implementation working. But upon further investigation, I realized that although login and sudo works, applications that use gksudo, such as synaptic don't is there a solution for this. I found a few others with this promlem on the internet, but I couldn't find any solutions. Many thanks for your help on this issue, and all of your very informative articles.


Donny's picture

I have since moved away from sudo and started using .k5user and .k5login in /root/ directory

.k5login allow users in that file access to become root
.k5user allow specified commands to be executed as root or as another user.