Create a service principal using MIT Kerberos
|Debian (Lenny, Squeeze)|
To create a service principal using MIT Kerberos
A principal is an identity that Kerberos is able to authenticate. Principals may represent users, network hosts, or network services. A principal that corresponds to a network service is called a service principal and has a name of the form:
Service principals are needed for two reasons:
- to allow services to verify that service tickets were issued by a genuine KDC, and
- to allow clients to verify that they are communicating with the intended service.
Some network services (such as Apache with
mod_auth_kerb) can be configured to allow authentication without the use of a keytab or a service principal. This is inadvisable for any purpose other than troubleshooting because it leaves the server without the means to verify that a presented ticket is genuine.
Suppose you wish to allow authentication to the web site
http://www.example.com/ using Kerberos. The canonical domain name of the web server is the same as the domain nameof the website (
www.example.com), and the Kerberos realm to which it belongs is
In order to achieve this in a secure manner it is necessary to create a service principal named
The method described here assumes that you already have:
- a Kerberos realm with an admin server and at least one KDC (Key Distribution Centre); and
- a Kerberos principal that is authorised to create other principals within that realm.
Service principals can be created using the
addprinc command of
kadmin in much the same way as user principals:
kadmin -q "addprinc -randkey HTTP/www.example.com"
-q option specifies a
kadmin command to be executed, in this case
-randkey option of
addprinc specifies that the encryption key should be chosen at random instead of being derived from a password. Services normally authenticate using a keytab, so have no need for a password.
/admin to your default principal or username and attempts to authenticate to the admin server using that. You can specify an alternative admin principal using the
-p if required.
You do not need to be
root to run
kadmin, however if you are not root then it will probably not be on your path. A common location for the executable is
It is often convenient to run
kadmin on the machine for which the service principal is needed, particularly if you also intend to create a keytab, however you should do this only if you are willing to trust that machine with administrative rights to the realm as a whole. Otherwise, choose a machine that you do trust (such as the KDC).
On Debian-based systems
kadmin is provided by the
krb5-user package, whereas on Red Hat-based systems it is provided by the
You can check that the service principal exists using the
getprinc command of
kadmin -q "getprinc HTTP/www.example.com"
If the principal exists then you should see output similar to the following:
Principal: HTTP/www.example.com@EXAMPLE.COM Expiration date: [never] Last password change: Fri Nov 11 20:05:11 GMT 2011 Password expiration date: [none] Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Fri Nov 11 20:05:11 GMT 2011 (bofh/admin@EXAMPLE.COM) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 2 Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt Key: vno 2, DES cbc mode with CRC-32, no salt Attributes: Policy: [none]
If it does not then you should see an error of the form:
get_principal: Principal does not exist while retrieving "HTTP/www.example.com@EXAMPLE.COM".
Having created a service principal, you will normally want to add it to a keytab (sometimes the default keytab,
/etc/krb5.keytab, or sometimes one with a different owner). See Add a host or service principal to a keytab using MIT Kerberos for instructions.
- Create a host principal using MIT Kerberos
- Add a host or service principal to a keytab using MIT Kerberos
- Kerberos V5 System Administrator's Guide, version 1.10, MIT, 2012
- kadmin (Ubuntu manpage)