Kerberos Client Configuration

Kerberos client software is included in many operating systems by default. Additional software packages and utilities are available from the standard software distribution sites and the primary project sites such as the MIT Kerberos project.

Configuration examples

For UC Berkeley, some typical MIT Kerberos configuration files are given below.

Note that because by default in recent versions of the Kerberos software DNS can provide some of the KDC information about the Kerberos realms, in the configuration file examples below DNS lookup for the KDC is enabled explicitly (RHEL example) or by default (Windows example). This makes much of the explicit realm information about BERKELEY.EDU optional and it is commented out in the first example and not included at all in the second.

RHEL 6 example /etc/krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = BERKELEY.EDU
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

[realms]
BERKELEY.EDU = {
# kdc = kerberos.berkeley.edu
# kdc = kerberos-1.berkeley.edu
admin_server = kerberos.berkeley.edu
}

[domain_realm]
.berkeley.edu = BERKELEY.EDU
berkeley.edu = BERKELEY.EDU

For Windows, an even more minimal working example shows that the default is to use DNS lookup for the KDC addresses:

Windows Server 2008 R2 example c:\windows\krb5.ini

[libdefaults]
default_realm = BERKELEY.EDU

[realms]
BERKELEY.EDU = {
admin_server = kerberos.berkeley.edu:749
default_domain = berkeley.edu
}

[domain_realm]
.berkeley.edu = BERKELEY.EDU
berkeley.edu = BERKELEY.EDU