Optional: Install a new MIT KDC

The following gives a very high level description of the KDC installation process.

To get more information see specific Operating Systems documentation, such as RHEL documentation, CentOS documentation, or SLES documentation (links below).

Install the KDC Server:

Install a new version of the KDC server:


OS Flavor	Enter
RHEL/CentOS/Oracle Linux	`yum install krb5-server krb5-libs krb5-workstation`
SLES	`zypper install krb5 krb5-server krb5-client`
Ubuntu/Debian	`apt-get install krb5-kdc krb5-admin-server`

Using a text editor, open the KDC server configuration file, located by default here: vi /etc/krb5.conf.
Change the [realms] section of this file by replacing the default “kerberos.example.com” setting for the kdc and admin_server properties with the Fully Qualified Domain Name of the KDC server host. In the following example, “kerberos.example.com” has been replaced with “my.kdc.server”.
```
realms]
 EXAMPLE.COM = {
   kdc = my.kdc.server
   admin_server = my.kdc.server
}
```

Use the utility kdb5_util to create the Kerberos database:


OS Flavor	Enter
RHEL/CentOS/Oracle Linux	`kdb5_util create -s`
SLES	`kdb5_util create -s`
Ubuntu/Debian	`krb5_newrealm`

Start the KDC server and the KDC admin server:


OS Flavor	Enter
RHEL/CentOS/Oracle Linux 6	`/etc/rc.d/init.d/krb5kdc start` `/etc/rc.d/init.d/kadmin start`
RHEL/CentOS/Oracle Linux 7	`systemctl start krb5kdc` `systemctl start kadmin`
SLES	`rckrb5kdc start` `rckadmind start`
Ubuntu/Debian	`service krb5-kdc restart` `service krb5-admin-server restart`

Set up the KDC server to auto-start on boot:


OS Flavor	Enter
RHEL/CentOS/Oracle Linux 6	`chkconfig krb5kdc on` `chkconfig kadmin on`
RHEL/CentOS/Oracle Linux 7	`systemctl enable krb5kdc` `systemctl enable kadmin`
SLES	`chkconfig rckrb5kdc on` `chkconfig rckadmind on`
Ubuntu/Debian	`update-rc.d krb5-kdc defaults` `update-rc.d krb5-admin-server defaults`

Create a Kerberos Admin:

Kerberos principals can be created either on the KDC machine itself or through the network, using an “admin” principal. The following instructions assume you are using the KDC machine and using the kadmin.local command line administration utility. Using kadmin.local on the KDC machine allows you to create principals without needing to create a separate "admin" principal before you start.

Create a KDC admin by creating an admin principal: kadmin.local -q "addprinc admin/admin".

Confirm that this admin principal has permissions in the KDC ACL. Using a text editor, open the KDC ACL file:


OS Flavor	Enter
RHEL/CentOS/Oracle Linux	`vi /var/kerberos/krb5kdc/kadm5.acl`
SLES	`vi /var/lib/kerberos/krb5kdc/kadm5.acl`
Ubuntu/Debian	`vi /etc/krb5kdc/kadm5.acl`

Ensure that the KDC ACL file includes an entry so to allow the admin principal to administer the KDC for your specific realm. When using a realm that is different than EXAMPLE.COM, be sure there is an entry for the realm you are using. If not present, principal creation will fail. For example, for an admin/admin@HADOOP.COM principal, you should have an entry: */admin@HADOOP.COM *.

After editing and saving the kadm5.acl file, you must restart the kadmin process:


OS Flavor	Enter
RHEL/CentOS/Oracle Linux 6	`/etc/rc.d/init.d/kadmin restart`
RHEL/CentOS/Oracle Linux 7	`systemctl restart kadmin`
SLES	`rckadmind restart`
Ubuntu/Debian	`service krb5-admin-server restart`