Kerberos Server
MIT Kerberos V KDC + admin server container running on Ubuntu 26.04.
Environment variables
| Variable | Default | Description |
|---|---|---|
KRB5_REALM |
EXAMPLE.ORG |
Kerberos realm (uppercase) |
KRB5_DOMAIN |
example.org |
DNS domain mapped to the realm |
KRB5_KDC_HOST |
localhost |
Hostname clients use to reach this KDC |
KRB5_MASTER_PASSWORD |
changeit |
Database master key (set once, never changes) |
KRB5_ADMIN_PRINCIPAL |
admin |
Name of the bootstrap admin principal |
KRB5_ADMIN_PASSWORD |
changeit |
Password for <admin>/admin@<REALM> |
Copy env.example to ~/app-data/kerberos/kerberos.env and fill in real values before first run.
Build
./scripts/build.sh
Run
./scripts/run-container.sh
The realm database is persisted in the kerberos_data volume (/var/lib/krb5kdc). Realm initialization runs only on first start.
Ports
| Port | Protocol | Service |
|---|---|---|
| 88 | TCP/UDP | KDC |
| 464 | TCP/UDP | kpasswd |
| 749 | TCP | kadmin |
Managing principals
Exec into the container and use kadmin.local (no password needed):
# List all principals
kadmin.local -q "listprincs"
# Add a principal
kadmin.local -q "addprinc username@REALM"
# Add a service principal and extract a keytab
kadmin.local -q "addprinc -randkey ldap/ldap.example.org@REALM"
kadmin.local -q "ktadd -k /tmp/ldap.keytab ldap/ldap.example.org@REALM"
OpenLDAP SASL/GSSAPI integration
- Create the LDAP service principal and extract a keytab:
kadmin.local -q "addprinc -randkey ldap/ldap.example.org@REALM" kadmin.local -q "ktadd -k /tmp/ldap.keytab ldap/ldap.example.org@REALM" - Copy the keytab into the OpenLDAP container at
/etc/ldap/ldap.keytab. - Set
KRB5_KTNAME=/etc/ldap/ldap.keytabin the OpenLDAP container environment. - Install
libsasl2-modules-gssapi-mitin the OpenLDAP image and enable theGSSAPISASL mechanism.