Kerberos is an authentication framework the purpose of which is to
permit secure identification in the potentially insecure connections of
decentralized networks. In Kerberos, all clients use a foundation of
mutual trust, the Key Distribution Center (KDC).
A client authenticates at this KDC and receives an authentication token,
the so-called ticket which can be used for authentication within the
Kerberos environment (the so-called Kerberos realm). The name of the
Kerberos realm is configured as part of the installation of the
Primary Directory Node and stored in the Univention Configuration Registry Variable
It is not possible to change the name of the Kerberos realm at a later
point in time.
Tickets have a standard validity period of 8 hours; this is why it is vital for a Kerberos domain to have the system time synchronized for all the systems belonging to the Kerberos realm.
Univention Corporate Server uses the Heimdal Kerberos implementation. An independent Heimdal service is started on UCS Directory Nodes without Samba/AD, while Kerberos is provided by a Heimdal version integrated in Samba on Samba/AD DCs. In a environment composed of UCS Directory Nodes without Samba/AD and Samba/AD domain controllers both Kerberos environments are based on identical data (these are synchronized between Samba/AD and OpenLDAP via the Univention S4 connector (see Univention S4 connector)).
3.6.1. KDC selection#
As standard, the KDC is selected via a DNS service record. The KDC used
by a system can be reconfigured using the Univention Configuration Registry Variable
kerberos/kdc. If Samba/AD is installed on a system in
the domain, the service record is reconfigured so that only the
Samba/AD-based KDCs are offered. In a mixed environment it is
recommended only to use the Samba/AD KDCs.
3.6.2. Kerberos admin server#
The Kerberos admin server, on which the administrative settings of the
domain can be made, runs on the Primary Directory Node. Most of the settings in
Univention Corporate Server are taken from the LDAP directory, so that
the major remaining function is changing passwords. This can be achieved
by means of the Tool kpasswd; the passwords are
then changed in the LDAP too. The Kerberos admin server can be
configured on a system via the Univention Configuration Registry Variable