Enhance Dockerfile and README to clarify user permissions and capabilities for Kerberos container

Dockerfile

@@ -5,13 +5,27 @@ RUN apt-get update && \
         krb5-kdc \
         krb5-admin-server \
         krb5-config \
+        libcap2-bin \
         tini && \
     rm -rf /var/lib/apt/lists/*
 
-COPY entrypoint.sh /entrypoint
+RUN groupadd -r krb5 && useradd -r -g krb5 -s /sbin/nologin krb5
+
+# Allow binding to privileged ports without root
+RUN setcap cap_net_bind_service=+ep /usr/sbin/krb5kdc && \
+    setcap cap_net_bind_service=+ep /usr/sbin/kadmind
+
+# Pre-create files the entrypoint writes to outside the volume
+RUN mkdir -p /etc/krb5kdc && \
+    touch /etc/krb5.conf && \
+    chown -R krb5:krb5 /etc/krb5kdc /etc/krb5.conf /var/lib/krb5kdc
+
+COPY --chown=krb5:krb5 entrypoint.sh /entrypoint
 
 RUN chmod +x /entrypoint
 
+USER krb5
+
 EXPOSE 88/tcp 88/udp 464/tcp 464/udp 749/tcp
 
 ENTRYPOINT ["tini", "--", "/entrypoint"]

README.md

@@ -67,6 +67,9 @@ This creates `slawek/admin@REALM` and grants it full kadmin rights via the ACL.
 ./scripts/run-container.sh
 ```
 
+Runs as user `krb5`; `CAP_NET_BIND_SERVICE` is granted to the daemon binaries at build time via `setcap`.
+
+
 The `kerberos_data` volume (`/var/lib/krb5kdc`) holds the realm database, configuration, and keytab. All files are written once on first start. On subsequent starts the container requires no environment variables — the persisted configuration is used as-is. Sensitive variables (`KRB5_MASTER_PASSWORD`, `KRB5_ADMIN_PASSWORD`) can be removed from the env file after the realm is initialised.
 
 ## Ports