This document uses MIT's Kerberos as the KDC service and assumes that KDC has been properly installed and started. To use Kerberos, create a realm, add the principals of relevant roles (including server and client), and generate a keytab file.
kdb5_util command to create a database for storing information about the principals.
kdb5_util -r EXAMPLE.COM create -s Initializing database '/var/krb5/principal' for realm 'EXAMPLE.COM' master key name 'K/M@EXAMPLE.COM' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: <Type the key> Re-enter KDC database master key to verify: <Type it again>
kadmin.local kadmin.local: add_principal -pw testpassword test/host@EXAMPLE.COM WARNING: no policy specified fortest/host@EXAMPLE.COM; defaulting to no policy Principal "test/host@EXAMPLE.COM" created.
kadmin.local kadmin.local: ktadd -k /var/krb5kdc/test.keytab test/host@EXAMPLE.COM Entry for principal test/host@EXAMPLE.COM with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/var/krb5kdc/test.keytab.
Here, we created a user
test/host@EXAMPLE.COM and put the key of this user into the file
service krb5-kdc start * Starting Kerberos KDC krb5kdc
kinit -k -t /etc/krb5.keytab test-client/host .COM
kinit is used to obtain a TGT from KDC. It sends a request to the KDC server specified in
/etc/krb5.conf. If the TGT is successfully obtained, you can see it by using klist.
klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: test-client/host@EXAMPLE.COM Valid starting Expires Service principal 2019-01-15T17:50:25 2019-01-16T17:50:25 krbtgt/EXAMPLE.COM@EXAMPLE.COM renew until 2019-01-16T00:00:25
After the kinit authentication succeeds, you can copy the keytab file to the server and client you need to use and configure the corresponding principals to use them.