Minimal Configuration

For a basic Kerberos configuration on a modern Linux using the ETH Active Directory, only a set of software packages and one configuration file is needed.

Software

Install the following packages (as root or via sudo):

Ubuntu
$ sudo apt -y install krb5-user kstart
RHEL and CentOS
# yum install -y krb5-workstation kstart
Fedora
# dnf install -y krb5-workstation kstart

Configuration

As root create the file /etc/krb5.conf and copy-paste the following content: 

[libdefaults]
    default_realm = D.ETHZ.CH
    forwardable = true
    proxiable = true
    ticket_lifetime = 1h
    renew_lifetime = 7d
    default_ccache_name = KEYRING:persistent:%{uid}

[realms]
    D.ETHZ.CH = {
        kdc = d.ethz.ch
    }

[domain_realm]
    .ethz.ch = D.ETHZ.CH

[plugins]
    ccselect = {
        disable = k5identity
    }

Time

Kerberos requires clients to have the correct time set. Please make sure that your client updates the time over the network and does not only use the CMOS clock of the BIOS/motherboard.

The installation should use UTC for the CMOS clock. If local time is used then you will run into issues every first reboot after a daylight saving time change.

Page URL: https://www.isg.inf.ethz.ch/bin/view/Main/HelpDesktopsAndLaptopsLinuxKerberosMinimalConfiguration
2024-04-19
© 2024 Eidgenössische Technische Hochschule Zürich