Documentation< Previous | Contents | Next >
3.2.1. Installation
For this discussion, we will create a MIT Kerberos domain with the following features (edit them to fit your needs):
• Realm: EXAMPLE.COM
• Primary KDC: kdc01.example.com (192.168.0.1)
• Secondary KDC: kdc02.example.com (192.168.0.2)
• User principal: steve
• Admin principal: steve/admin
It is strongly recommended that your network-authenticated users have their uid in a different range (say, starting at 5000) than that of your local users.
Before installing the Kerberos server a properly configured DNS server is needed for your domain. Since the Kerberos Realm by convention matches the domain name, this section uses the EXAMPLE.COM domain configured in Section 2.3, “Primary Master” [p. 169] of the DNS documentation.
Also, Kerberos is a time sensitive protocol. So if the local system time between a client machine and the server differs by more than five minutes (by default), the workstation will not be able to authenticate. To correct the problem all hosts should have their time synchronized using the same Network Time Protocol (NTP) server. For details on setting up NTP see Section 4, “Time Synchronization” [p. 55].
The first step in creating a Kerberos Realm is to install the krb5-kdc and krb5-admin-server packages. From a terminal enter:
sudo apt install krb5-kdc krb5-admin-server
You will be asked at the end of the install to supply the hostname for the Kerberos and Admin servers, which may or may not be the same server, for the realm.
By default the realm is created from the KDC's domain name.
Next, create the new realm with the kdb5_newrealm utility:
sudo krb5_newrealm