Minimal Configuration

For a basic Kerberos configuration on a modern Linux using the ETH Active Directory, only a set of software packages and one configuration file is needed.


Install the following packages (as root or via sudo):

$ sudo apt -y install krb5-user kstart
RHEL and CentOS
# yum install -y krb5-workstation kstart
# dnf install -y krb5-workstation kstart


As root create the file /etc/krb5.conf and copy-paste the following content:

    default_realm = D.ETHZ.CH
    forwardable = true
    proxiable = true
    ticket_lifetime = 1h
    renew_lifetime = 7d
    default_ccache_name = KEYRING:persistent:%{uid}

    D.ETHZ.CH = {
        kdc =

[domain_realm] = D.ETHZ.CH

    ccselect = {
        disable = k5identity


Kerberos requires clients to have the correct time set. Please make sure that your client updates the time over the network and does not only use the CMOS clock of the BIOS/motherboard.

Page URL:
© 2021 Eidgenössische Technische Hochschule Zürich