PerlStalker’s SysAdmin Notes

Notes from the life of a systems administrator

Gentoo Kerberos5 HOWTO

Originally posted at [2005-10-07 Fri 13:11]

1 Install Kerberos 5

Add kerberos to the USE flag in /etc/make.conf.


Then install everything:

emerge -N world
  • Or -
emerge mit-krb5

This will install the MIT kerberos 5 library which may be restricted under US export restrictions. The Heimdal krb5 implementation is free from those restrictions. You can install Heimdal by doing:

emerge app-crypt/heimdal

Because the kerberos install will change libgssapi, you will need to run revdep-rebuild to fix any apps that you build prior to install krb5. Note: If you install heimdal, you may need to rebuild OpenSSH to enable krb5 support.

2 Configure Kerberos

Updated 2010-09-26: I just realized that I never put in the example configs. Oops. Sorry about that.

Edit /etc/krb5.conf

sample krb5.conf here

Edit /etc/kdc.conf

sample kdc.conf here

3 Initialize the Database

mkdir /etc/krb5kdc
kdb5_util create -r REALM -s

You will be prompted for the Master Password. This will be stored as the principle K/M@REALM.

4 Add Administrators

Now we need to add admin users to /etc/krb5kdc/kadm5.acl.

sample kadm5.acl here

bash# kadmin.local
kadmin.local: addprinc admin/admin@REALM

Skip keytab

5 Starting the Servers

/etc/init.d/mit-krb5kadmind start
/etc/init.d/mit-krb5kdc start

It can sometimes take a while to start kadmind. Be patient.

6 Setup PAM

PAM is used by many services to authenticate. It would be very convenient if it talked to the KDC too. So, let’s enable Kerberos in PAM. Note: According to the pam_krb5 docs, it only works with MIT Kerberos 5.

emerge pam_krb5

Now edit /etc/pam.d/system-auth

auth       required
auth       sufficient likeauth nullok
auth       sufficient try_first_pass
auth       required

account    required
account    required

password   required retry=3
password   sufficient use_authtok
password   sufficient nullok md5 shadow use_authtok
password   required

session    required
session    required
session    required