How to create a Kerberos realm for single sign-on running on NetBSD

You want to organize your users and services into a Kerberos realm to enable single sign-on to your web sites and other services at hostnames under How do you set it up?

  1. Pick a realm name. This is normally the uppercase version of your organization's domain name in the DNS, EXAMPLE.COM.

    Note: Unlike DNS domain names, Kerberos realm names are case-sensitive.

  2. Pick a host to run the Kerberos Key Distribution Center, say

    Make sure TCP and/or UDP traffic to goes to the host, in case it is behind a NAT or firewall or similar.

  3. To make it easier for users, create DNS records in the zone:

    ; name           ttl     class   type    rrdata
    _kerberos        300     IN      TXT     "EXAMPLE.COM"
    _kerberos._tcp   300     IN      SRV     1 0 88 kdc
    _kerberos._udp   300     IN      SRV     1 0 88 kdc

    For access to services under, clients will consult TXT records to find the realm name (see dns_lookup_realm in krb5.conf(5))

    To find the KDC for the realm EXAMPLE.COM, clients and services will consult or SRV records (see dns_lookup_kdc in krb5.conf(5)).

    If you don't set this up, you will need to distribute krb5.conf(5) files to all users with the realm name and domain-to-realm mapping; see the [domain_realm] and [realms] sections in the krb5.conf(5) man page for details.

  4. On, create /etc/krb5.conf with the following content:

            default_realm = EXAMPLE.COM
            name_canon_rules = as-is:

    Check it by running:

    # verify_krb5_conf /etc/krb5.conf
  5. Initialize the KDC:

    # kadmin -l init EXAMPLE.COM
    Realm max ticket life [unlimited]:
    Realm max renewable ticket life [unlimited]:

    Hit return when prompted to use the defaults.

    This will create the database at the default location under /var/heimdal.

  6. Create a user principal and an admin principal. We'll call the user jruser for J. Random User.

    # kadmin -l add --use-defaults jruser
    jruser@EXAMPLE.COM's Password: 
    Verifying - jruser@EXAMPLE.COM's Password: 
    # kadmin -l add --use-defaults jruser/admin
    jruser/admin@EXAMPLE.COM's Password: 
    Verifying - jruser/admin@EXAMPLE.COM's Password: 

    The admin principal jruser/admin@EXAMPLE.COM has no intrinsic connection to jruser@EXAMPLE.COM but by convention is chosen to be authorized like a su(1)-style superuser version of jruser for administrative tasks with the help of kadmind(8).

Now you can do kinit jruser@EXAMPLE.COM for client-side single sign-on, and set up kerberized services!