From d03cc1c04b067e7522693eb1761a60f096f6fa76 Mon Sep 17 00:00:00 2001
From: Slawomir Koszewski <slawek@koszewscy.waw.pl>
Date: Thu, 14 May 2026 22:45:10 +0200
Subject: [PATCH] Added AI generated scaffold based on OpenLDAP project
 structure.

---
 Dockerfile               | 16 ++++++++++
 README.md                | 65 ++++++++++++++++++++++++++++++++++++++++
 docker-bake.hcl          |  5 ++++
 entrypoint.sh            | 64 +++++++++++++++++++++++++++++++++++++++
 env.example              |  6 ++++
 scripts/build.sh         | 14 +++++++++
 scripts/run-container.sh | 16 ++++++++++
 7 files changed, 186 insertions(+)
 create mode 100644 Dockerfile
 create mode 100644 README.md
 create mode 100644 docker-bake.hcl
 create mode 100755 entrypoint.sh
 create mode 100644 env.example
 create mode 100755 scripts/build.sh
 create mode 100755 scripts/run-container.sh

diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..7a0bb6c
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,16 @@
+FROM ubuntu:26.04
+
+RUN apt-get update && \
+    DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+        krb5-kdc \
+        krb5-admin-server \
+        krb5-config && \
+    rm -rf /var/lib/apt/lists/*
+
+COPY entrypoint.sh /entrypoint
+
+RUN chmod +x /entrypoint
+
+EXPOSE 88/tcp 88/udp 464/tcp 464/udp 749/tcp
+
+ENTRYPOINT ["/entrypoint"]
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..3a57de0
--- /dev/null
+++ b/README.md
@@ -0,0 +1,65 @@
+# Kerberos Server
+
+MIT Kerberos V KDC + admin server container running on Ubuntu 26.04.
+
+## Environment variables
+
+| Variable | Default | Description |
+|---|---|---|
+| `KRB5_REALM` | `EXAMPLE.ORG` | Kerberos realm (uppercase) |
+| `KRB5_DOMAIN` | `example.org` | DNS domain mapped to the realm |
+| `KRB5_KDC_HOST` | `localhost` | Hostname clients use to reach this KDC |
+| `KRB5_MASTER_PASSWORD` | `changeit` | Database master key (set once, never changes) |
+| `KRB5_ADMIN_PRINCIPAL` | `admin` | Name of the bootstrap admin principal |
+| `KRB5_ADMIN_PASSWORD` | `changeit` | Password for `<admin>/admin@<REALM>` |
+
+Copy `env.example` to `~/app-data/kerberos/kerberos.env` and fill in real values before first run.
+
+## Build
+
+```bash
+./scripts/build.sh
+```
+
+## Run
+
+```bash
+./scripts/run-container.sh
+```
+
+The realm database is persisted in the `kerberos_data` volume (`/var/lib/krb5kdc`). Realm initialization runs only on first start.
+
+## Ports
+
+| Port | Protocol | Service |
+|---|---|---|
+| 88 | TCP/UDP | KDC |
+| 464 | TCP/UDP | kpasswd |
+| 749 | TCP | kadmin |
+
+## Managing principals
+
+Exec into the container and use `kadmin.local` (no password needed):
+
+```bash
+# List all principals
+kadmin.local -q "listprincs"
+
+# Add a principal
+kadmin.local -q "addprinc username@REALM"
+
+# Add a service principal and extract a keytab
+kadmin.local -q "addprinc -randkey ldap/ldap.example.org@REALM"
+kadmin.local -q "ktadd -k /tmp/ldap.keytab ldap/ldap.example.org@REALM"
+```
+
+## OpenLDAP SASL/GSSAPI integration
+
+1. Create the LDAP service principal and extract a keytab:
+   ```bash
+   kadmin.local -q "addprinc -randkey ldap/ldap.example.org@REALM"
+   kadmin.local -q "ktadd -k /tmp/ldap.keytab ldap/ldap.example.org@REALM"
+   ```
+2. Copy the keytab into the OpenLDAP container at `/etc/ldap/ldap.keytab`.
+3. Set `KRB5_KTNAME=/etc/ldap/ldap.keytab` in the OpenLDAP container environment.
+4. Install `libsasl2-modules-gssapi-mit` in the OpenLDAP image and enable the `GSSAPI` SASL mechanism.
diff --git a/docker-bake.hcl b/docker-bake.hcl
new file mode 100644
index 0000000..5703de3
--- /dev/null
+++ b/docker-bake.hcl
@@ -0,0 +1,5 @@
+target "default" {
+    context    = "."
+    dockerfile = "Dockerfile"
+    tags       = ["registry.koszewscy.waw.pl/kerberos:latest"]
+}
diff --git a/entrypoint.sh b/entrypoint.sh
new file mode 100755
index 0000000..d9b14ad
--- /dev/null
+++ b/entrypoint.sh
@@ -0,0 +1,64 @@
+#!/usr/bin/env bash
+
+set -e
+
+REALM="${KRB5_REALM:-EXAMPLE.ORG}"
+DOMAIN="${KRB5_DOMAIN:-example.org}"
+KDC_HOST="${KRB5_KDC_HOST:-localhost}"
+MASTER_PASSWORD="${KRB5_MASTER_PASSWORD:-changeit}"
+ADMIN_PRINCIPAL="${KRB5_ADMIN_PRINCIPAL:-admin}"
+ADMIN_PASSWORD="${KRB5_ADMIN_PASSWORD:-changeit}"
+
+cat > /etc/krb5.conf <<EOF
+[libdefaults]
+    default_realm = ${REALM}
+    dns_lookup_realm = false
+    dns_lookup_kdc = false
+
+[realms]
+    ${REALM} = {
+        kdc = ${KDC_HOST}
+        admin_server = ${KDC_HOST}
+    }
+
+[domain_realm]
+    .${DOMAIN} = ${REALM}
+    ${DOMAIN} = ${REALM}
+EOF
+
+cat > /etc/krb5kdc/kdc.conf <<EOF
+[kdcdefaults]
+    kdc_ports = 88
+
+[realms]
+    ${REALM} = {
+        database_name = /var/lib/krb5kdc/principal
+        admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
+        acl_file = /etc/krb5kdc/kadm5.acl
+        key_stash_file = /etc/krb5kdc/.k5.${REALM}
+        kdc_ports = 88
+        max_life = 10h 0m 0s
+        max_renewable_life = 7d 0h 0m 0s
+        master_key_type = aes256-cts
+        supported_enctypes = aes256-cts:normal aes128-cts:normal
+    }
+EOF
+
+cat > /etc/krb5kdc/kadm5.acl <<EOF
+${ADMIN_PRINCIPAL}/admin@${REALM} *
+EOF
+
+if [ ! -f /var/lib/krb5kdc/principal ]; then
+    echo "Initializing Kerberos realm ${REALM}..."
+    kdb5_util create -s -P "${MASTER_PASSWORD}" -r "${REALM}"
+    kadmin.local -q "addprinc -pw ${ADMIN_PASSWORD} ${ADMIN_PRINCIPAL}/admin@${REALM}"
+    echo "Realm initialized."
+fi
+
+krb5kdc -n &
+KDC_PID=$!
+
+kadmind -nofork &
+KADMIND_PID=$!
+
+wait -n $KDC_PID $KADMIND_PID
diff --git a/env.example b/env.example
new file mode 100644
index 0000000..b15a540
--- /dev/null
+++ b/env.example
@@ -0,0 +1,6 @@
+KRB5_REALM=EXAMPLE.ORG
+KRB5_DOMAIN=example.org
+KRB5_KDC_HOST=kerberos.example.org
+KRB5_MASTER_PASSWORD=changeit
+KRB5_ADMIN_PRINCIPAL=admin
+KRB5_ADMIN_PASSWORD=changeit
diff --git a/scripts/build.sh b/scripts/build.sh
new file mode 100755
index 0000000..8878608
--- /dev/null
+++ b/scripts/build.sh
@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+set -e
+
+REPO_DIR="$(git rev-parse --show-toplevel)"
+
+if command -v container >/dev/null 2>&1; then
+    container build -t "registry.koszewscy.waw.pl/kerberos:latest" "$REPO_DIR"
+elif command -v docker >/dev/null 2>&1; then
+    docker buildx bake --file "$REPO_DIR/docker-bake.hcl"
+else
+    echo "No supported container tool found." >&2
+    exit 1
+fi
diff --git a/scripts/run-container.sh b/scripts/run-container.sh
new file mode 100755
index 0000000..7a936ff
--- /dev/null
+++ b/scripts/run-container.sh
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+set -e
+
+if command -v container >/dev/null 2>&1; then
+    container run -d --name kerberos \
+        --env-file ~/app-data/kerberos/kerberos.env \
+        -v kerberos_data:/var/lib/krb5kdc \
+        -p 88:88/tcp -p 88:88/udp \
+        -p 464:464/tcp -p 464:464/udp \
+        -p 749:749/tcp \
+        kerberos:latest
+else
+    echo "Error: 'container' command not found. Please install the 'container' CLI tool." >&2
+    exit 1
+fi