diff --git a/entrypoint.sh b/entrypoint.sh
index dcf2a7f..e599bcd 100644
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -34,8 +34,32 @@ fi
 kerberos_enabled="0"
 if [ "${KERBEROS_ENABLE:-0}" = "1" ]; then
     kerberos_enabled="1"
-    export KRB5_KTNAME="${KRB5_KTNAME:-/etc/ldap/ldap.keytab}"
+    export KRB5_KTNAME="${KRB5_KTNAME:-/etc/krb5.keytab}"
     echo "Kerberos : enabled (keytab: $KRB5_KTNAME)"
+
+    if [ ! -f "$KRB5_KTNAME" ]; then
+        echo "Error: keytab not found at $KRB5_KTNAME" >&2
+        exit 1
+    fi
+
+    krb5_kdc_host="${KRB5_KDC_HOST:?KRB5_KDC_HOST must be set when KERBEROS_ENABLE=1}"
+    cat > /etc/krb5.conf <<EOF
+[libdefaults]
+    default_realm = ${KRB5_REALM:?KRB5_REALM must be set when KERBEROS_ENABLE=1}
+    dns_lookup_realm = false
+    dns_lookup_kdc = false
+
+[realms]
+    ${KRB5_REALM} = {
+        kdc = ${krb5_kdc_host}
+        admin_server = ${krb5_kdc_host}
+    }
+
+[domain_realm]
+    .${domain} = ${KRB5_REALM}
+    ${domain} = ${KRB5_REALM}
+EOF
+    echo "Kerberos : krb5.conf written (realm: ${KRB5_REALM}, kdc: ${krb5_kdc_host})"
 else
     echo "Kerberos : disabled"
 fi
diff --git a/env.example b/env.example
index 1909acb..e2865e5 100644
--- a/env.example
+++ b/env.example
@@ -7,5 +7,6 @@ LDAP_ADMIN_PASSWORD=changeit
 # Kerberos SASL/GSSAPI (optional)
 KERBEROS_ENABLE=0
 KRB5_REALM=EXAMPLE.ORG
+KRB5_KDC_HOST=kerberos.example.org
 KRB5_SASL_HOST=ldap.example.org
-KRB5_KTNAME=/etc/ldap/ldap.keytab
+KRB5_KTNAME=/etc/krb5.keytab