User Tools

Site Tools


Kerberos Server HowTo

Kerberos is a network authentication protocol which works on the basis of “tickets” to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. (Source Kerberos_(protocol))



Please read about here Kerberos_(protocol) and especially Kerberos How-to.

Required Packages

Server (OpenWrt)

  • krb5-server
    • krb5-libs (dependency of krb5-server)

Client (OpenWrt)

  • krb5-client



opkg install krb5-server


Server configuration

Create the file /etc/krb5.conf with the following credentials. Example:

    default_realm = YOURDOMAIN.ORG
    dns_lookup_realm = false
    dns_lookup_kdc = false
    ticket_lifetime = 24h
    forwardable = yes

        kdc = server_address_of_this_machine:88
        admin_server = server_address_of_this_machine:749
        default_domain =


Replace YOURDOMAIN.ORG / with the domain name of your domain the server should act for (names must be specified in UPPER- / lowercase as shown above). Replace server_address_of_this_machine with the host name/IP adress of this server you're setting up.

Starting the server

Start the server by issuing

/etc/init.d/krb5kdc start

This should create the /etc/krb5kdc/ directory with the following files

-rw-------    1 root     root         8192 Feb 13 11:17 principal
-rw-------    1 root     root         8192 Feb 13 09:12 principal.kadm5
-rw-------    1 root     root            0 Feb 13 09:12 principal.kadm5.lock
-rw-------    1 root     root            0 Feb 13 11:17 principal.ok

In case you don't get any error messages check your server by logging on with


In case everything works well you will see the following message

root@bridge:~# kadmin.local
Authenticating as principal xxxxxxx/admin@YOURDOMAIN.ORG with password.

Testing the server

Perform the tests as described in the Kerberos How-to document on page 16/17.

Start on boot

To enable/disable automatic start on boot:

/etc/init.d/krb5kdc enable

this simply creates a symlink: /etc/rc.d/S60krb5kdc → /etc/init.d/krb5kdc

/etc/init.d/krb5kdc disable

this removes the symlink again


docs/guide-user/services/kerberos.txt · Last modified: 2018/03/03 20:47 by