How do I create principals with MIT KDC for Kerberos authentication?

Issue

How do I create principals with MIT KDC for Kerberos authentication?

Solution

To ensure that no problems arise due to MIT KDC and heimdal GSS interaction, create principals as follows (hostname is the fully-qualified host name):

1. Login and delete the service (imap/hostname, in this example):

$ kadmin.local

Authenticating as principal root/admin@domain-name with password.

kadmin.local: delete_principal imap/hostname

Are you sure you want to delete the principal "imap/hostname"? (yes/no): yes

Principal "imap/hostname" deleted.

Make sure that you have removed this principal from all ACLs before reusing.

2. Delete the principal:

kadmin.local: delete_principal user@domain-name

Are you sure you want to delete the principal "user@domain-name"? (yes/no): yes

Principal "user@domain-name" deleted.

Make sure that you have removed this principal from all ACLs before reusing.

3. Create the new service:

kadmin.local: add_principal -e DES-CBC-CRC:normal -randkey imap/hostname

WARNING: no policy specified for imap/hostname; defaulting to no policy

Principal "imap/hostname" created.

4. Create the new principal:

kadmin.local: add_principal -e DES-CBC-CRC:normal user@domain-name

WARNING: no policy specified for user@domain-name; defaulting to no policy

Enter password for principal "user@domain-name":

Re-enter password for principal "user@domain-name":

Principal "user@domain-name" created.

5. Add the new principal to the keytab:

kadmin.local: ktadd -e DES-CBC-CRC:normal imap/hostname

Entry for principal imap/$mas with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab

WRFILE:/etc/kerb5.keytab.

kadmin.local: q