Minimal Configuration

For a basic Kerberos configuration on a modern Linux using the ETH Active Directory, only a set of software packages and one configuration file is needed.


Install the following packages (as root or via sudo):

$ sudo apt -y install krb5-user kstart
RHEL and CentOS
# yum install -y krb5-workstation kstart
# dnf install -y krb5-workstation kstart


As root create the file /etc/krb5.conf and copy-paste the following content:

    default_realm = D.ETHZ.CH
    forwardable = true
    proxiable = true
    ticket_lifetime = 1h
    renew_lifetime = 7d
    default_ccache_name = KEYRING:persistent:%{uid}

    D.ETHZ.CH = {
        kdc =

[domain_realm] = D.ETHZ.CH

    ccselect = {
        disable = k5identity


Kerberos requires clients to have the correct time set. Please make sure that your client updates the time over the network and does not only use the CMOS clock of the BIOS/motherboard.

The installation should use UTC for the CMOS clock. If local time is used then you will run into issues every first reboot after a daylight saving time change.

Page URL:
© 2024 Eidgenössische Technische Hochschule Zürich