Kerberos only uses secret-key Cryptography instead of public-key cryptography. It is a lot easier to design those.
Discovering KDCs
I needed a way to find KDCs for a domain. Here’s how I did it for TCP and UDP.
dig SRV _kerberos._udp.DOMAINNAME
And similarly for TCP.
dig SRV _kerberos._tcp.DOMAINNAME
Keytab
ktutil
ktutil is a tool for creating and managing Kerberos Keytab files.
add_entry {-key|-password} -p principal -k kvno [-e enctype] [-f|-s salt]
Add principal to keylist using key or password. If the -f flag is specified, salt information will be fetched from the KDC; in this case the -e flag may be omitted, or it may be supplied to force a particular enctype. If the -f flag is not specified, the -e flag must be specified, and the default salt will be used unless overridden with the -s option.
Preauthentication failed
When you are adding passwords to your keytab, you might want to use the -f option in order to fetch the salt from the server.