How to setup Kerberos on Ubuntu

In a network, there is one machine which acts as a server for Kerberos authentication and the rest of the machines act as clients. On the server machine, we will install Kerberos administrative server and database for Kerberos. On client machines, we will install the Kerberos client. So first we will set up a Kerberos server.

Setting Kerberos Server

Execute the below command to install Kerberos admin server and KDE (key distribution center).

sudo apt install krb5-kdc krb5-admin-server

It will ask you the following three things one by one

  1. Kerberos realm. (let’s say MYREALM)
  2. Kerberos server hostname. Type localhost and enter.
  3. Hostname of the administrative (password changing) server for MYREALM. In this case type localhost and enter.Kerberos installation
    kerberos installation
    kerberos installation
    kerberos installation

Now execute the below command to setup realm.

sudo krb5_newrealm

It will ask you to enter a password for database creation and after that, it will start Kerberos KDC krb5kdc and Kerberos administrative servers kadmind processes.

Open /etc/krb5kdc/kadm5.acl file with your favourite text editor and uncomment the last line so that the file would look like.

# This file Is the access control list for krb5 administration.
# When this file is edited run /etc/init.d/krb5-admin-server restart to activate
# One common way to set up Kerberos administration is to allow any principal
# ending in /admin  is given full administrative rights.
# To enable this, uncomment the following line:
*/admin *

Your Kerberos server has been setup.

If you want to add principal, execute

sudo kadmin.local

and then run the command addprinc inside kadmin.local

<span class="hljs-keyword">addprinc </span>your_principal_name


addprinc ashishdoneriya

Setting Kerberos Client

Add Kerberos server machine entry in your client machine /etc/hosts file. Let’s say the hostname of the machine in which you have just installed Kerberos server is ‘host1’ and IP is ‘’ then add this line to /etc/hosts    host1

Execute the below command to install and setup Kerberos client.

sudo apt-get install krb5-user

It will ask 3 thing one by one
realm – MYREALM
hostname – host1
admin server – host1

That’s it. Now to test, run command

kinit -p your_principal_name@MYREALM


kinit -p ashishdoneriya@MYREALM

If you want to remove kerberos and all its configuration and pacakages from your system then

sudo apt-get remove --purge krb5-admin-server krb5-config krb5-kdc krb5-locales

Update : Once I had to setup kerberos client on my machine and the kdc is MIT kdc. Then I setup client on my machine using above process. After that I was facing problems in java during authentication and authorization using kerberos. After a lot of debugging, I found that in my system, encryption types in file /etc/krb5.conf is different than kerberos server’s /etc/krb5.conf. So I replaced my system’s /etc/krb5.conf with server’s and then my java code worked fine.



Leave a Reply

Your email address will not be published. Required fields are marked *