NOTE: CentOS Enterprise Linux is built from the Red Hat Enterprise Linux source code. Other than logo and name changes CentOS Enterprise Linux is compatible with the equivalent Red Hat version. This document applies equally to both Red Hat and CentOS Enterprise Linux.
Setting up a Kerberos 5 client is less involved than setting up
a server. At a minimum, install the client packages and provide
each client with a valid krb5.conf
configuration file. Kerberized versions of rsh and rlogin also
requires some configuration changes.
Be sure that time synchronization is in place between the
Kerberos client and the KDC. Refer to Section 19.5 Configuring a Kerberos 5
Server for more information. In addition, verify that DNS
is working properly on the Kerberos client before configuring the
Kerberos client programs.
Install the krb5-libs and krb5-workstation packages on all of the client
machines. Supply a valid /etc/krb5.conf
file for each client (usually this can be the same krb5.conf file used by the KDC).
Before a workstation in the realm can allow users to connect
using kerberized rsh and rlogin, that workstation must have the xinetd package installed and have its own host
principal in the Kerberos database. The kshd and klogind server
programs also need access to the keys for their service's
Using kadmin, add a host principal for
the workstation on the KDC. The instance in this case is the
hostname of the workstation. Use the -randkey option for the kadmin's addprinc command
to create the principal and assign it a random key:
addprinc -randkey host/blah.example.com
Now that the principal has been created, keys can be extracted
for the workstation by running kadmin
on the workstation itself, and using the
ktadd command within kadmin:
ktadd -k /etc/krb5.keytab host/blah.example.com
To use other kerberized network services, they must first be
started. Below is a list of some common kerberized services and
instructions about enabling them:
rsh and rlogin
— To use the kerberized versions of rsh and rlogin, enable
Telnet — To use kerberized Telnet, krb5-telnet must be enabled.
FTP — To provide FTP access, create and extract a key for
the principal with a root of ftp. Be certain to set the instance to the
fully qualified hostname of the FTP server, then enable gssftp.
IMAP — To use a kerberized IMAP server, the cyrus-imap package uses Kerberos 5 if it also has
the cyrus-sasl-gssapi package installed.
The cyrus-sasl-gssapi package contains
the Cyrus SASL plugins which support GSS-API authentication. Cyrus
IMAP should function properly with Kerberos as long as the
cyrus user is able to find the proper key
in /etc/krb5.keytab, and the root for the
principal is set to imap (created with
The dovecot package also contains an
IMAP server alternative to cyrus-imap,
which is also included with Red Hat Enterprise Linux, but does not
support GSS-API and Kerberos to date.
CVS — To use a kerberized CVS server, gserver uses a principal with a root of cvs and is otherwise identical to the CVS
For details about how to enable services, refer to the chapter
titled Controlling Access to Services in
the Red Hat Enterprise Linux System