Minimal Configuration

For a basic Kerberos configuration on a modern Linux using the ETH Active Directory, only a set of software packages and one configuration file is needed.

Software

Install the following packages (as root or via sudo):

Ubuntu
$ sudo apt -y install krb5-user kstart
RHEL and CentOS
# yum install -y krb5-workstation kstart
Fedora
# dnf install -y krb5-workstation kstart

Configuration

As root create the file /etc/krb5.conf and copy-paste the following content:

[libdefaults]
    default_realm = D.ETHZ.CH
    forwardable = true
    proxiable = true
    ticket_lifetime = 1h
    renew_lifetime = 7d
    default_ccache_name = KEYRING:persistent:%{uid}

[realms]
    D.ETHZ.CH = {
        kdc = d.ethz.ch
    }

[domain_realm]
    .ethz.ch = D.ETHZ.CH

[plugins]
    ccselect = {
        disable = k5identity
    }

Time

Kerberos requires clients to have the correct time set. Please make sure that your client updates the time over the network and does not only use the CMOS clock of the BIOS/motherboard.

Page URL: https://www.isg.inf.ethz.ch/bin/view/Main/HelpDesktopsAndLaptopsLinuxKerberosMinimalConfiguration
2019-09-18
© 2019 Eidgenössische Technische Hochschule Zürich