My attempt to follow the steps here HOWTO: Kerberos for small networks, without LDAP or AD. Hopefully I will have a working Key Distribution Center solution for the farm when I am done, as the steps I am following are about twelve years old at this point.

Goal 1

  • A master Key Distribution Center (KDC) built on MIT-KRB5 Kerberos.


    Working Network Time Protocol (NTP)

    Validate NTP is working on systems using systemd by issuing timedatectl status command.

    $ timedatectl status
                 Local time: Fri 2019-10-25 04:41:10 CDT
             Universal time: Fri 2019-10-25 09:41:10 UTC
                   RTC time: Fri 2019-10-25 09:41:10
                  Time zone: US/Central (CDT, -0500)
     System clock synchronized: yes
                NTP service: active
            RTC in local TZ: no

    Output from devices running long term support (LTS) releases may look more like the following:

                       Local time: Fri 2019-10-25 05:08:56 CDT
                    Universal time: Fri 2019-10-25 10:08:56 UTC
                          RTC time: Fri 2019-10-25 10:08:58
                         Time zone: America/Chicago (CDT, -0500)
         System clock synchronized: yes
    systemd-timesyncd.service active: yes
                   RTC in local TZ: no

    Issue systemctl status systemd-timesyncd.service command to check which NTP server device is syncing time with.

    $ systemctl status systemd-timesyncd.service
    ● systemd-timesyncd.service - Network Time Synchronization
       Loaded: loaded (/lib/systemd/system/systemd-timesyncd.service; enabled; vendor preset: enabled)
       Active: active (running) since Fri 2019-10-25 04:50:21 CDT; 1min 33s ago
         Docs: man:systemd-timesyncd.service(8)
     Main PID: 88031 (systemd-timesyn)
       Status: "Synchronized to time server for the first time ("
        Tasks: 2
       Memory: 1.2M
          CPU: 236ms
       CGroup: /system.slice/systemd-timesyncd.service
               └─88031 /lib/systemd/systemd-timesyncd
    Oct 25 04:50:21 setback systemd[1]: Starting Network Time Synchronization...
    Oct 25 04:50:21 setback systemd[1]: Started Network Time Synchronization.
    Oct 25 04:50:21 setback systemd-timesyncd[88031]: Synchronized to time server for the first time (

Working Domain Name Service (DNS)

Kerberos ticketing depends on working which I will define for this post as the forward and reverse lookups work for the KDC. Further the hostname -f command returns the fully qualified domain name for the KDC. The same expectations will need to be in place for devices hoping to make use of the KDC.

$ dig +noall +answer 19588	IN	A
chuck@setback ~ $ dig +noall +answer -x 43518 IN	PTR
$ hostname -f


For this initial set up I will be using the following:


  • DNS domain:
  • Kerberos realm: GRIMMIG.MINE.NU
  • Key Distribution Center (KDC) host:
  • KDC config file: /var/lib/krb5kdc/kdc.conf
  • Admin ACL file: /var/lib/krb5kdc/kadm5.acl
  • Readable only by root


  • Client configuration file: /etc/krb5.conf
  • PAM file to allow Kerberos system access: /etc/pam.d/system-auth


  • Install necessary packages on KDC:
    • app-crypt/mit-krb5-1.17-r1
    • sys-auth/pam_krb5-4.7
  • Create initial kdc.conf file, /var/lib/krb5kdc/kdc.conf.
    max_life = 16h 0m 0s
	max_renewable_life = 7d 0h 0m 0s
	master_key_type = aes256-cts-hmac-sha1-96
	supported_enctypes = aes256-cts-hmac-sha1-96:normal rc4-hmac:normal
	kdc_supported_enctypes = aes256-cts-hmac-sha1-96:normal rc4-hmac:normal
  • Create admin ACL file, /var/lib/krb5kdc/kadm5.acl.
*/admin@GRIMMIG.MINE.NU   *
  • Create client config file, /etc/krb5.conf. Same across all devices.
  default_realm = GRIMMIG.MINE.NU
  default_tkt_enctypes = aes256-cts-hmac-sha1-96
  default_tgs_enctypes = aes256-cts-hmac-sha1-96
  permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac
  forwardable = true

    admin_server =
	kdc =

  kdc = SYSLOG
  admin_server = SYSLOG
  default = SYSLOG
  • Create Keberos database.
    • Do not forget or lose passwordrd entered.
    • Ensure /var/lib/krb5kdc/.k5.GRIMMIG.MINE.NU is readable only by root after creation.
kdb5_util create -r GRIMMIG.MINE.NU -s
  • Add Kerberos database service principals and users.

Add required Kerberos service principals to system keytab.

kadmin:local: ktadd kadmin/admin kadmin/changepw

Create default policy.

kadmin.local:  add_policy -maxlife "10 years" default

Create normal and administrative user principals, replaceing user name in the following with actual user account names.

kadmin.local:  add_principal username/admin
kadmin.local:  add_principal username

Create KDC server host principal and add to keytab.

kadmin.local:  add_principal -randkey host/
kadmin.local:  ktadd host/

Exit admin utility.

kadmin.local:  quit
  • Enable and start KDC services.
systemctl enable mit-krb5kdc
systemctl enable mit-krb5kadmind
systemctl start mit-krb5kdc
systemctl start mit-krb5kadmind
  • Testing

  • Get ticket for host principal from keytab sudo kinit -k
    • No feedback is good.
  • Review ticket:
$ sudo klist
Ticket cache: FILE:/tmp/krb5cc_1000_Omhc4N
Default principal: host/

Valid starting       Expires              Service principal
10/29/2019 09:04:35  10/30/2019 01:04:35  krbtgt/GRIMMIG.MINE.NU@GRIMMIG.MINE.N
	renew until 10/30/2019 09:04:35
  • Get user ticket:
$ kinit chuck
Password for chuck@GRIMMIG.MINE.NU:
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000_Omhc4N
Default principal: chuck@GRIMMIG.MINE.NU

Valid starting       Expires              Service principal
10/29/2019 09:12:42  10/30/2019 01:12:42  krbtgt/GRIMMIG.MINE.NU@GRIMMIG.MINE.NU
	renew until 10/30/2019 09:12:42

As no errors, first KDC is presumed ready for use.