DOSC TWiki snapshot as of mid-2005



Making kerberos work under Linux isn't difficult, but the process can be a bit confusing if you don't understand the purpose of each step... so read carefully.

for the moment, these instructions are written for someone with a working knowledge of unix/linux

if you aren't sure that you know what you're doing, ask for help....we'll try to make these instructions more easy to understand in the future.

NOTE: for the moment, some of the random files dealing with kerberos/sidecar are going to be available from the northstar website, (


  1. Install the programs for requesting/handling kerberos tickets
  2. configure some domain-specific files
  3. (instructions on how to use the three tools kinit, klist, and kdestroy)
  4. (troubleshoot -- if necessary)

Install binaries for your system

It is possible to compile from source, and if you're trying to get kerberos to work on the SharpZaurus or a random Unix OS, that may be your only method.

If you are asked about domain names and such during the installation of the kerberos5 packages, you can just enter blank values (or the default values).

We're using the kerberos5 packages because they are widely available for a variety of OSes and easy to install. Unfortunately, Dartmouth has not yet migrated to kerberos5, so we will be configuring the tools to work with kerberos4 by hand.

configure the kerberos setup

Type ls /etc/krb*, and you should see something like this:    /etc/krb5.conf /etc/krb.conf /etc/krb.conf.rpmnew /etc/krb.realms

We just need to configure krb.conf (the rest apply to kerberos5).

If you open up the file and look at the first few lines, you should see something like this:

SICS.SE admin server
NADA.KTH.SE admin server
ADMIN.KTH.SE admin server
BION.KTH.SE admin server

You may not see a /etc/krb.conf file, in which case you can just create one (and put in the appropriate lines for dartmouth as listed below)

The file krb.conf is an index of kerberos servers for different kerberos domains. But we want to use the DARTMOUTH.EDU domain (well, that's what I'm assuming! :)

Here are the appropriate lines for Dartmouth:

DARTMOUTH.EDU admin server

append those to the file so that the final result looks something like:

DARTMOUTH.EDU admin server
SICS.SE admin server
NADA.KTH.SE admin server
ADMIN.KTH.SE admin server

  • is the kerberos server for the Dartmouth kerberos realm
  • theoretically you could have more than one kerberos server, so we indicate that is the admin server (I believe that the admin server is the only one used for changing passwords or something like that).
  • by indicating the port number 750 explicitly here, we avoid possible problems with port numbers in /etc/services

Okay, now let's take a look at /etc/services.

If you installed an rpm or .deb package to get the basic kerberos commands, you probably had a number of ports added to this file for kerberos.

:::To Be Tested::: I'm not sure if you can just leave the default install of the ports alone (I believe that you can). Otherwise, here is the list of all kerberos ports (from one of my linux boxes):

# in order to get sidecar working, should these be set to kerberos v4 ?
# (see 'local' ports below for more information)
# (turn these k5 ports off..)
#kerberos       88/tcp          kerberos5 krb5  # Kerberos v5
#kerberos       88/udp          kerberos5 krb5  # Kerberos v5
# need these guys for sidecar to work properly
kerberos-adm    749/tcp                         # Kerberos `kadmin' (v5)
kerberos-iv     750/udp         kerberos4 kerberos-sec kdc
kerberos-iv     750/tcp         kerberos4 kerberos-sec kdc
# Kerberos (Project Athena/MIT) services
# Note that these are for Kerberos v4, and are unregistered/unofficial.  Sites
# running v4 should uncomment these and comment out the v5 entries above.
kerberos_master 751/udp                         # Kerberos authentication
kerberos_master 751/tcp                         # Kerberos authentication
passwd_server   752/udp                         # Kerberos passwd server
krbupdate       760/tcp         kreg            # Kerberos registration
kpop            1109/tcp                        # Pop with Kerberos
knetd           2053/tcp                        # Kerberos de-multiplexor
# Kerberos 5 services, also not registered with IANA
krb5_prop       754/tcp                         # Kerberos slave propagation
eklogin         2105/tcp                        # Kerberos encrypted rlogin

Try to get a ticket

To get a ticket from the server, run kinit like this:

> kinit -4 "Jay R Hacker"

that's "Jay R Hacker", not "Jay R. Hacker". Periods should NOT be included when typing in the DND name. AlexFerguson

if you don't want to type in your full DND name, try kclient instead. (see the section below)

Did I get a ticket?

try the command klist: it should give you a list of the kerberos5 and kerberos4 tickets that you currently hold.

if you see something like:

klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_1002)

Kerberos 4 ticket cache: /tmp/tkt1402
Principal: Jay R Hacker@DARTMOUTH.EDU

  Issued              Expires             Principal
11/07/02 19:27:20  11/08/02 05:27:20  krbtgt.DARTMOUTH.EDU@DARTMOUTH.EDU

then you've been successful!

If you're having problems, and perhaps get an error like:

   > kinit -4 "Tux E Herring"
   Password for Tux E Herring@DARTMOUTH.EDU:
   kinit(v4): Retry count exceeded (send_to_kdc)

...that might indicate that you're not connecting to the right domain, server, or port number.

If you're ambitious, just run strace on kinit to see what's going on. (On a debian box of mine, strace revealed that 'kinit -4' was still trying to go connect to the kerberos5 port, #88. strace is a very useful command! :)

How do I get rid of my ticket? -- I'm on a public machine...

Don't forget that SidecarForLinux can deal with multi-user machines correctly. You have to trust whoever has root on the machine (but you're already doing that when you run kinit), but except for the superuser, no other person can authenticate themselves using your kerberos ticket.

That aside, if you want to get rid of your ticket, just type kdestroy.


  > kdestroy
  kdestroy: No credentials cache found while destroying cache
  Kerberos 4 ticket cache destroyed.

Some useful scripts

There have been a few different kclient scripts. All of them automate, to some degree, the process of getting a kerberos ticket from the DND.

If you unpack the kclient.tar (found on my northstar AFS space), you'll find the files kclient and

Try putting kclient into /usr/local/bin, and into /usr/lib/perl5/5.6.1/ (basically it needs to be somewhere in the Perl include path so that the kclient script knows where to find it.

usage is:

> kclient <DND name or nickname>

this tool is really nice, because you don't have to enter in your full DND name.

Nice GUI interface

Ummm. we're working on that. There is a gnome-kerberos package that has a GUI-thing for kerberos5, but it's not at all like what we have on the mac/windows side. Hopefully we'll have something (at least in beta) by the end of 2002.

UPDATE: okay, so we don't have any GUI interface yet. We might continue working on the kerberos stuff, or we might start working on PKI stuff instead. More on that soon.

RobinsonTryon - 07 Nov 2002