How to create a Kerberos realm for single sign-on running on NetBSD

You want to organize your users and services into a Kerberos realm to enable single sign-on to your web sites and other services at hostnames under example.com. How do you set it up?

1. Pick a realm name. This is normally the uppercase version of your organization's domain name in the DNS, EXAMPLE.COM.

   Note: Unlike DNS domain names, Kerberos realm names are case-sensitive.

2. Pick a host to run the Kerberos Key Distribution Center, say kdc.example.com.

   Make sure TCP and/or UDP traffic to kdc.example.com goes to the host, in case it is behind a NAT or firewall or similar.

3. To make it easier for users, create DNS records in the example.com. zone:

   ; name           ttl     class   type    rrdata
   _kerberos        300     IN      TXT     "EXAMPLE.COM"
   _kerberos._tcp   300     IN      SRV     1 0 88 kdc
   _kerberos._udp   300     IN      SRV     1 0 88 kdc
   

   For access to services under example.com, clients will consult _kerberos.example.com TXT records to find the realm name (see dns_lookup_realm in krb5.conf(5))

   To find the KDC for the realm EXAMPLE.COM, clients and services will consult _kerberos._tcp.example.com or _kerberos._udp.example.com SRV records (see dns_lookup_kdc in krb5.conf(5)).

   If you don't set this up, you will need to distribute krb5.conf(5) files to all users with the realm name and domain-to-realm mapping; see the [domain_realm] and [realms] sections in the krb5.conf(5) man page for details.

4. On kdc.example.com, create /etc/krb5.conf with the following content:

   [libdefaults]
           default_realm = EXAMPLE.COM
           name_canon_rules = as-is:
   

   Check it by running:

   # verify_krb5_conf /etc/krb5.conf
   

5. Initialize the KDC:

   # kadmin -l init EXAMPLE.COM
   Realm max ticket life [unlimited]:
   Realm max renewable ticket life [unlimited]:
   

   Hit return when prompted to use the defaults.

   This will create the database at the default location under /var/heimdal.

6. Create a user principal and an admin principal. We'll call the user jruser for J. Random User.

   # kadmin -l add --use-defaults jruser
   jruser@EXAMPLE.COM's Password: 
   Verifying - jruser@EXAMPLE.COM's Password: 
   # kadmin -l add --use-defaults jruser/admin
   jruser/admin@EXAMPLE.COM's Password: 
   Verifying - jruser/admin@EXAMPLE.COM's Password: 
   

   The admin principal jruser/admin@EXAMPLE.COM has no intrinsic connection to jruser@EXAMPLE.COM but by convention is chosen to be authorized like a su(1)-style superuser version of jruser for administrative tasks with the help of kadmind(8).

Now you can do kinit jruser@EXAMPLE.COM for client-side single sign-on, and set up kerberized services!