Kerberos is a secure network authentication system which is based on shared secrets and symmetric encryption. You are not transfer password through network. Instead of that you are send and receive tickets. KDC is central key server, and he has all host, which can send/receive tickets. In this part we will setup some basic KDC server. Install necessary packages in this point, and open firewall ports. After that look in /etc/services for kerberos, krb and kpass.Open that ports in firewall.

[root@security1 ~]# yum -y install krb5-server krb5-workstation

You should setup realm which in this case will be SETENFORCE.COM You should change /etc/krb5.conf (look bellow)

[root@security1 ~]# cat /etc/krb5.conf
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

default_realm = SETENFORCE.COM This is our realm
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes

[realms] Setup for our realm
kdc =
admin_server =

[domain_realm] Bellow are list of all hosts in our realm = SETENFORCE.COM = SETENFORCE.COM

pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
validate = true PAM verify that it is talking to the true KDC

OK, you are finished now with configuration files. It is time to initialize the Kerberos database on the KDC with a stash file so it can start up automatically.

[root@security1 ~]# kdb5_util create -r SETENFORCE.COM -s

After this you should change /var/kerberos/krb5kdc/kdc.conf file. Here you will do some basic changes, such as change realm, and remove comment from master_key_type = des3-hmac-sha1 , also be sure that this is set default_principal_flags = +preauth client principal is required to preauthenticate to the KDC before receiving any tickets. You should change line in /var/kerberos/krb5kdc/kadm5.acl according to your realm. After this we can start with adding principals in kerberos, and after that you should create the kadmind keytab file

[root@security1 ~]# kadmin.local
. . .
kadmin.local: addprinc root/admin
. . .
kadmin.local: addprinc testing@SETENFORCE.COM
. . .
kadmin.local: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin
kadmin.local: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/changepw

Now when all is end, you should take care about selinux and kdc services.

[root@security1 var]# restorecon -R /var/log
[root@security1 var]# restorecon -R /var/kerberos/krb5kdc/
[root@security1 var]# chkconfig krb5kdc on
[root@security1 var]# chkconfig kadmin on
[root@security1 var]# /etc/init.d/krb5kdc start
[root@security1 var]# /etc/init.d/kadmin start