最後更新: 2021-10-27


依賴的 Service


 * NTP

Kerberos is a time sensitive protocol

client 與 server 之間最多可以有 5 分鍾不同

 * DNS (/etc/hosts)

用來找出 KDC 位置





domain or group your hosts and users belong to. should be in uppercase
By default the realm is created from the KDC’s domain name.

Key Distribution Center(KDC)

consist of three parts:
a database of all principals,
the authentication server,
and the ticket granting server.

Ticket Granting Ticket(TGT)

issued by the Authentication Server (AS)

Ticket Granting Server(TGS)

issues service tickets to clients upon request.


confirm the identity of the two principals.

Keytab Files

files extracted from the KDC principal database and contain the encryption key for a service or host.

It is strongly recommended that your network-authenticated users have their uid in a different range


Installation on Rocky8



dnf install krb5-server

Service Management

systemctl start krb5kdc

systemctl enable krb5kdc


systemctl start kadmin

Firewall Setting

firewall-cmd --add-service=kerberos     # 88/tcp&udp


firewall-cmd --add-service=kadmin       # 749/tcp

Kerberos Administration Protocol (access that remotely), 不建議開放

firewall-cmd --add-service=kpasswd      # 464/tcp&udp

The kpasswd command is used to change a Kerberos principal’s password.





includedir /etc/krb5.conf.d/


 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 dns_lookup_kdc = false
 rdns = false
 pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
 spake_preauth_groups = edwards25519
 default_ccache_name = KEYRING:persistent:%{uid}
 default_realm = DATAHUNTER.LOCAL
  admin_server = DATAHUNTER.LOCAL


Realm-specific contact information and settings


Maps server hostnames to Kerberos realms
If no translation entry applies to a hostname used for a service principal for a service ticket request,
the library will try to get a referral to the appropriate realm from the client realm's KDC.


Indicate whether DNS SRV records should be used to locate the KDCs and other servers for a realm,  
if they are not listed in the krb5.conf information for the realm.


Indicate whether DNS URI records should be used to locate the KDCs and other servers for a realm,
if they are not listed in the krb5.conf information for the realm

The kdc.conf file supplements krb5.conf(5) for programs which are typically only used on a KDC
(krb5kdc(8), kadmind(8), kdb5_util(8))
for the KDC programs mentioned, krb5.conf and kdc.conf will be merged into a single configuration profile.






Kerberos database maintenance utility

# Create a Kerberos Database

# prompted to enter a password which will act as the master key

kdb5_util create -s


The -s flag is specified so that a stash file is created,
allowing for the Kerberos service to automatically start up without requiring the master key to be provided manually.

# The -f argument can be used to override the key_stash_file specified in kdc.conf(5)

# The default is /var/kerberos/krb5kdc/.k5.REALM

kdb5_util stash [-f key_stash_file]

Initializing database '/var/kerberos/krb5kdc/principal' for realm 'DATAHUNTER.LOCAL',
master key name 'K/M@DATAHUNTER.LOCAL'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:

ls -al /var/kerberos/krb5kdc/

total 28
drwxr-xr-x. 2 root root  155 Oct 19 12:23 .
drwxr-xr-x. 4 root root   33 Oct 19 11:56 ..
-rw-------. 1 root root   81 Oct 19 12:23 .k5.DATAHUNTER.LOCAL
-rw-------. 1 root root   22 Sep 22 02:31 kadm5.acl
-rw-------. 1 root root  441 Oct 19 12:17 kdc.conf
-rw-------. 1 root root 8192 Oct 19 12:23 principal
-rw-------. 1 root root 8192 Oct 19 12:23 principal.kadm5
-rw-------. 1 root root    0 Oct 19 12:23 principal.kadm5.lock
-rw-------. 1 root root    0 Oct 19  2021 principal.ok

File: principal

principal: Berkeley DB 1.85/1.86 (Btree, version 3, native byte-order)




  • kadmin.local: 需要在 KDC server 上面運作
  • kadmin: 可以在任何一台 KDC 領域的系統上面運作



Authenticating as principal root/admin@DATAHUNTER.LOCAL with password.

Help: "?"        # List available requests


  • addprinc
  • listprincs
  • getprinc
  • delprinc
  • modprinc
  • renprinc
  • cpw, change_password      # Change password


  • list_policies, listpols
  • add_policy, addpol
  • modify_policy, modpol
  • delete_policy, delpol
  • get_policy, getpol


  • getprivs      # Get privileges


kadmin.local:  addprinc datahunter

No policy specified for datahunter@DATAHUNTER.LOCAL; defaulting to no policy
Enter password for principal "datahunter@DATAHUNTER.LOCAL":
Re-enter password for principal "datahunter@DATAHUNTER.LOCAL":
Principal "datahunter@DATAHUNTER.LOCAL" created.

kadmin.local: listprincs


kadmin.local:  delprinc tim

Are you sure you want to delete the principal "tim@DATAHUNTER.LOCAL"? (yes/no): yes
Principal "tim@DATAHUNTER.LOCAL" deleted.
Make sure that you have removed this principal from all ACLs before reusing.

設定哪些用戶端可以管理資料庫 (remotely)

For regular users with no special privileges, no action will be required.





kinit - 申請票據



Kerberos 與 Software 的整合



  • native Kerberos support
  • delegating the authentication work to the PAM subsystem

native Kerberos support


ssh Server

Kerberos-5 only for SSH-1

SSH-2 has no standard support for Kerberos yet.

However, there is a proposal to add it via GSSAPI (Generic Security Services Application Programming Interface, RFC 1964).


# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no

# default sshd_config file has GSSAPIAuthentication=yes

Configure your host so that it knows where to get Kerberos tickets.

ssh Client


GSSAPIAuthentication yes

kadmin on the client machine to connect to the Kerberos server,

and then you call ktadd which will export the key to the local filesystem.

PAM subsystem

authconfig -configure automatically-> /etc/sssd/sssd.conf




/var/log/krb5kdc.log         # Rocky8

Oct 19 16:30:05 r8.local krb5kdc[68565](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) CLIENT_NOT_FOUND: tim@DATAHUNTER.LOCAL for krbtgt/DATAHUNTER.LOCAL@DATAHUNTER.LOCAL, Client not found in Kerberos database

Oct 19 16:21:04 r8.local krb5kdc[68565](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) ISSUE: authtime 1634631664, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, datahunter@DATAHUNTER.LOCAL for krbtgt/DATAHUNTER.LOCAL@DATAHUNTER.LOCAL