Enhance Dockerfile and entrypoint script for Kerberos initialization

- Added krb5-admin-server and updated entrypoint to ensure proper initialization of the Kerberos realm.
- Improved error handling for required environment variables in entrypoint script.
- Updated README with additional prerequisites and client configuration instructions.
- Modified env.example to remove default passwords for security.
- Enhanced run-container script to set container hostname based on KDC_HOST.

README.md

@@ -2,19 +2,31 @@
 
 MIT Kerberos V KDC + admin server container running on Ubuntu 26.04.
 
+## Prerequisites
+
+Kerberos is sensitive to hostname resolution. Before running this container:
+
+- `KRB5_KDC_HOST` must resolve to the container from every client machine (forward DNS or `/etc/hosts`).
+- The container's own hostname should match `KRB5_KDC_HOST` so that service tickets are issued for the correct principal. Set it with `--hostname` / the container runtime's hostname option.
+- Reverse DNS (PTR records) for the KDC host is strongly recommended — some Kerberos operations fail without it.
+
+DNS lookup of KDC addresses is disabled in the generated `krb5.conf` (`dns_lookup_kdc = false`); the value of `KRB5_KDC_HOST` is used directly instead.
+
 ## Environment variables
 
 | Variable | Default | Description |
 |---|---|---|
 | `KRB5_REALM` | `EXAMPLE.ORG` | Kerberos realm (uppercase) |
 | `KRB5_DOMAIN` | `example.org` | DNS domain mapped to the realm |
-| `KRB5_KDC_HOST` | `localhost` | Hostname clients use to reach this KDC |
-| `KRB5_MASTER_PASSWORD` | `changeit` | Database master key (set once, never changes) |
+| `KRB5_KDC_HOST` | *(required)* | FQDN of this KDC, used by clients and in service ticket names |
+| `KRB5_MASTER_PASSWORD` | *(required on first start)* | Database master key — set once, cannot be changed without destroying the database |
 | `KRB5_ADMIN_PRINCIPAL` | `admin` | Name of the bootstrap admin principal |
-| `KRB5_ADMIN_PASSWORD` | `changeit` | Password for `<admin>/admin@<REALM>` |
+| `KRB5_ADMIN_PASSWORD` | *(required on first start)* | Password for `<admin>/admin@<REALM>` |
 
 Copy `env.example` to `~/app-data/kerberos/kerberos.env` and fill in real values before first run.
 
+> **Important:** `KRB5_MASTER_PASSWORD` and `KRB5_ADMIN_PASSWORD` are only required on first start. Once the realm is initialised (the database file exists in the volume), these variables are not read and can be removed from the env file for enhanced security. The master password cannot be changed without wiping the `kerberos_data` volume and reinitialising the realm, which invalidates all issued tickets and keytabs.
+
 ## Build
 
 ```bash
@@ -27,25 +39,118 @@ Copy `env.example` to `~/app-data/kerberos/kerberos.env` and fill in real values
 ./scripts/run-container.sh
 ```
 
-The realm database is persisted in the `kerberos_data` volume (`/var/lib/krb5kdc`). Realm initialization runs only on first start.
+The `kerberos_data` volume (`/var/lib/krb5kdc`) holds the realm database, configuration, and keytab. All files are written once on first start. On subsequent starts the container requires no environment variables — the persisted configuration is used as-is. Sensitive variables (`KRB5_MASTER_PASSWORD`, `KRB5_ADMIN_PASSWORD`) can be removed from the env file after the realm is initialised.
 
 ## Ports
 
 | Port | Protocol | Service |
 |---|---|---|
-| 88 | TCP/UDP | KDC |
-| 464 | TCP/UDP | kpasswd |
-| 749 | TCP | kadmin |
+| 88 | TCP/UDP | KDC (ticket granting) |
+| 464 | TCP/UDP | kpasswd (password changes) |
+| 749 | TCP | kadmin (remote administration) |
+
+## Client configuration
+
+Pre-authentication is required (`+preauth` is set by default), so clients must supply a password or keytab — anonymous TGT requests are rejected.
+
+The KDC hostname (`KRB5_KDC_HOST`) must be resolvable from every client machine via DNS or a local hosts file entry.
+
+### Linux
+
+Install the MIT Kerberos client tools:
+
+```bash
+sudo apt install krb5-user        # Debian / Ubuntu
+sudo dnf install krb5-workstation # Fedora / RHEL
+```
+
+Create `/etc/krb5.conf`:
+
+```ini
+[libdefaults]
+    default_realm = EXAMPLE.ORG
+
+[realms]
+    EXAMPLE.ORG = {
+        kdc = kerberos.example.org
+        admin_server = kerberos.example.org
+    }
+
+[domain_realm]
+    .example.org = EXAMPLE.ORG
+    example.org = EXAMPLE.ORG
+```
+
+```bash
+kinit user@EXAMPLE.ORG   # obtain a ticket
+klist                     # verify
+kdestroy                  # release
+```
+
+### macOS
+
+Kerberos (Heimdal) is built into macOS — no installation required. It is interoperable with MIT KDCs.
+
+Create `/etc/krb5.conf` with the same content as the Linux example above.
+
+```bash
+kinit user@EXAMPLE.ORG
+klist
+kdestroy
+```
+
+Acquired tickets are also visible in **Ticket Viewer** (`/System/Library/CoreServices/Ticket Viewer.app`).
+
+For SSH with GSSAPI, add to `~/.ssh/config`:
+
+```
+Host *.example.org
+    GSSAPIAuthentication yes
+    GSSAPIDelegateCredentials yes
+```
+
+### Windows (standalone, not domain-joined)
+
+Install **MIT Kerberos for Windows** (KfW) from [web.mit.edu/kerberos/dist](https://web.mit.edu/kerberos/dist/). The built-in Windows Kerberos provider (SSPI) is designed for Active Directory domain membership and is not suitable for standalone use against a custom KDC.
+
+Create the configuration file at `%ProgramData%\MIT\Kerberos5\krb5.ini` (system-wide) or set the `KRB5_CONFIG` environment variable to point to a file of your choice:
+
+```ini
+[libdefaults]
+    default_realm = EXAMPLE.ORG
+
+[realms]
+    EXAMPLE.ORG = {
+        kdc = kerberos.example.org
+        admin_server = kerberos.example.org
+    }
+
+[domain_realm]
+    .example.org = EXAMPLE.ORG
+    example.org = EXAMPLE.ORG
+```
+
+Use the KfW **Network Identity Manager** GUI or the bundled command-line tools from a Command Prompt:
+
+```cmd
+kinit user@EXAMPLE.ORG
+klist
+kdestroy
+```
 
 ## Managing principals
 
-Exec into the container and use `kadmin.local` (no password needed):
+Exec into the running container, then use `kadmin.local` (no password required):
+
+```bash
+container exec -it kerberos bash
+```
 
 ```bash
 # List all principals
 kadmin.local -q "listprincs"
 
-# Add a principal
+# Add a user principal
 kadmin.local -q "addprinc username@REALM"
 
 # Add a service principal and extract a keytab