DNS is intended to centrally resolve hostnames to IP addresses within a local network as well as on the Internet.

In addition to performing basic name resolution for hosts and e-mail servers, DNS can also contain other service-specific records allowing infrastructural services, such as MIT Kerberos, OpenLDAP and OpenAFS to perform a lot of service configuration discovery through DNS.

Historically, DNS has not been part of this introductory documentation series to infrastructure-based Unix networks. However, this has resulted in the documents using sub-optimal name resolution schemes, as well as showing suboptimal setups, requiring readers to perform additional configuration before they could consider their setups officially sound.

This document aims to improve that area and allow one to set up a solid infrastructure from the ground up.

... More description on what exactly DNS will do ...

While the idea of a network name resolution is not unique, let's quickly identify the specific name resolution elements in our setup:

You can find the complete DNS documentation at the ISC BIND website.

On all GNU/Linux-based platforms, Linux-PAM is available for service-specific authentication configuration. Linux-PAM is an implementation of PAM ("Pluggable Authentication Modules") from Sun Microsystems.

Network services, instead of having hard-coded authentication interfaces and decision methods, invoke PAM through a standard, pre-defined interface. It is then up to PAM to perform any and all authentication-related work, and report the result back to the application.

Exactly how PAM reaches the decision is none of the service's business. In traditional set-ups, that is most often done by asking and verifying usernames and passwords. In advanced networks, that could be retina scans or — Kerberos tickets.

PAM will allow for inclusion of Kerberos into the authentication path of all services, regardless of whether they natively support Kerberos or not.

You can find the proper introduction (and complete documentation) on the Linux-PAM website. Pay special attention to the PAM Configuration File Syntax page. Also take a look at the Linux-PAM(7) and pam(7) manual pages.

Let's agree on a few conventions before going down to work:

Kerberos server installation basically consists of just two packages — the KDC (Key Distribution Center), which takes care of handling authentication requests and issuing Kerberos tickets, and kadmind (Kerberos master server), which allows remote administration access to the Kerberos database and carrying out of administrative tasks.

sudo apt-get install bind9 bind9-{doc,host} bind9utils

Here are the Debconf answers for reference.

User account for running the BIND9 daemon: bind

Other startup options for named: (none)

Should resolv.conf settings be overridden? Yes

Here are the Debconf answers for reference.

User account for running the BIND9 daemon: bind

Other startup options for named: (none)

Should resolv.conf settings be overridden? Yes

As soon as the installation is done, the BIND server (named) will start, as we can verify using the following commands:

ps aux | grep [n]amed

bind      5097  0.2  2.4  45052 12028 ?        Ssl  01:02   0:00 /usr/sbin/named -u bind

netstat  -ntlp | grep :53

tcp        0      0 192.168.0.16:53         0.0.0.0:*               LISTEN      5097/named      
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      5097/named      
tcp6       0      0 :::53                   :::*                    LISTEN      5097/named 

By default, Debian and Ubunu /etc/bind/named.conf is configured to load three files, named.conf.options, named.conf.local and named.conf.default-zones.

cat /etc/bind/named.conf.options

options {
        directory "/var/cache/bind";

        forwarders {
             8.8.8.8;
             8.8.4.4;
        };

        dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};

echo 192.168.7.12 > /etc/resolv.conf

It is already the time to test the installation. At this point you should be able to resolve hosts such as www.duckduckgo.com and www.wolfram.com:

host duckduckgo.com 192.168.0.16

www.duckduckgo.com is an alias for duckduckgo.com.
duckduckgo.com has address 46.51.197.88
duckduckgo.com has address 176.34.131.233
duckduckgo.com has address 46.51.197.89
duckduckgo.com has address 176.34.135.167
duckduckgo.com mail is handled by 10 mail.duckduckgo.com.
duckduckgo.com mail is handled by 40 mx1.dnsmadeeasy.com.
duckduckgo.com mail is handled by 50 mx3.dnsmadeeasy.com.
duckduckgo.com mail is handled by 60 mx2.dnsmadeeasy.com.

host wolfram.com

www.wolfram.com has address 140.177.205.134
www.wolfram.com has address 206.123.112.238

The first invocation of host with two arguments will resolve the host address using a specific DNS server — our local one.

The second invocation will resolve another host's IP without mentioning any DNS servers explicitly, ensuring that the settings in /etc/resolv.conf are correct.

In the test step above, you might have noticed principal names similar to kadmin/admin@SPINLOCK.HR. The general naming syntax for principals is SPEC@REALM, where SPEC by convention consists of components separated by "/", and the default REALM can be omitted.

In the case of principals related to system users, the first component identifies the user name, and the second component, if present, identifies user role. For regular users, there will usually be one principal with no special role, named simply USERNAME. But when administrative or other roles are required, there will be no need to condense them all to one "root" prinicpal — each user can simply be given conveniently named additional principals with special privileges, such as USERNAME/admin.

In the case of principals related to system services, the components will be used to identify service and hostname, such as host/monarch.spinlock.hr or ldap/monarch.spinlock.hr. ("host" is somewhat of a misnomer from today's perspective — it has nothing to do with host per-se, but is actually the service name for all remote shell protocols, such as rsh, rlogin and ssh).

Let's take a look at the /etc/krb5kdc/kadm5.acl file; it defines user access rights for the Kerberos database. For regular users with no special privileges, no action will be required. For admin users, we will want to grant all privileges, as hinted earlier in the section called “Principal Names”. To do this, make sure the following line is present in the file and enabled (that is, without the comment '#' character at the beginning):

*/admin *

(While the above syntax might remind you of shell globbing, it does not work that way. The only matching character supported is the asterisk ("*"), it does not match multiple components, and it can only be used in form of "component1/*" or "*/component2".)

Make sure to restart the admin server to apply /etc/krb5kdc/kadm5.acl changes:

sudo invoke-rc.d krb5-admin-server restart

Kerberos "policies" offer an elegant way to sort principals into a kind of categories and to automatically apply corresponding defaults onto newly created principals.

Let's create four basic policies: for admins, hosts, services and users. In this example, each policy will define minimum password strength (measured in number of character classes present in the password, from 1 to 5), but a few other options can be set — run addpol (the supported abbreviation of add_policy) if you're curious.

sudo kadmin.local
Authenticating as principal root/admin@SPINLOCK.HR with password.

kadmin.local:  add_policy -minlength 8 -minclasses 3 admin
kadmin.local:  add_policy -minlength 8 -minclasses 4 host
kadmin.local:  add_policy -minlength 8 -minclasses 4 service
kadmin.local:  add_policy -minlength 8 -minclasses 2 user

kadmin.local:  quit

As you might have noticed, the kadmin.local command identified us as the principal root/admin. Still, that principal does not actually exist in the database so we might as well create it now. Once the principal is actually there, we'll be able to connect to the administrative server using kadmin from any machine within the Kerberos realm, and not just by using kadmin.local on the Kerberos server.

Creating a principal based on your regular identity (such as USERNAME/admin) is preferred over creating one called root/admin, but we will create root/admin for simplicity:

sudo kadmin.local
Authenticating as principal root/admin@SPINLOCK.HR with password.

kadmin.local:  addprinc -policy admin root/admin

Enter password for principal "root/admin@SPINLOCK.HR": PASSWORD
Re-enter password for principal "root/admin@SPINLOCK.HR": PASSWORD
Principal "root/admin@SPINLOCK.HR" created.

kadmin.local:  quit

Now that the root/admin principal exists in the Kerberos database, we should be able to use kadmin just as we used kadmin.local. The only exception, of course, is that kadmin will prompt for a password to connect to the Kerberos admin server.

Double-check that all the permissions are granted to admin roles in the /etc/krb5kdc/kadm5.acl (as explained in the section called “Access rights”), and that the admin server has been restarted to read the new configuration; then proceed to test kadmin connection:

sudo kadmin -p root/admin
Authenticating as principal root/admin@SPINLOCK.HR with password.

Password for root/admin@SPINLOCK.HR: PASSWORD

kadmin:  listprincs

K/M@SPINLOCK.HR
root/admin@SPINLOCK.HR
kadmin/admin@SPINLOCK.HR
kadmin/changepw@SPINLOCK.HR
kadmin/history@SPINLOCK.HR
kadmin/krb1.SPINLOCK.HR@SPINLOCK.HR
krbtgt/SPINLOCK.HR@SPINLOCK.HR

kadmin:  quit

If there is a noticeable delay present before the kadmin password prompt appears, or if you notice a "SERVER_NOT_FOUND" warning printed to /var/log/kerberos/krb5kdc.log, look up the section called “Error: SERVER_NOT_FOUND” for a solution.

Let's add a principal that will correspond to your regular, unprivileged user account. In our example, the username will be called "mirko". We've essentially performed this procedure for the root/admin principal above, but we'll repeat it here for your regular user account, using a different policy, and replacing mirko with your username.

sudo kadmin -p root/admin
Authenticating as principal root/admin@SPINLOCK.HR with password.

Password for root/admin@SPINLOCK.HR: PASSWORD

kadmin:  addprinc -policy user mirko

Enter password for principal "mirko@SPINLOCK.HR": PASSWORD
Re-enter password for principal "mirko@SPINLOCK.HR": PASSWORD
Principal "mirko@SPINLOCK.HR" created.

kadmin:  quit

As hinted in the introduction, each user is expected to type in the password once, to obtain the initial TGT (Ticket-granting Ticket). Obtained tickets are saved to a so-called ticket cache, which is most commonly a file named /tmp/krb5cc_*, stored on the user's workstation.

Let's run the klist command to inspect our ticket cache (run this command under your regular, non-privileged username). As one might guess, since we did not obtain any tickets yet, the cache will be empty:

klist -f

klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)

Let's use kinit now to obtain the ticket, and then re-inspect the ticket cache. If the command seemingly "hangs" and does nothing, wait a few seconds — DNS misconfiguration may cause a delay.

kinit mirko

Password for mirko@SPINLOCK.HR: PASSWORD

klist -f

Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: mirko@SPINLOCK.HR

Valid starting     Expires            Service principal
11/22/06 22:30:36  11/23/06 08:30:33  krbtgt/SPINLOCK.HR@SPINLOCK.HR
renew until 11/23/06 22:30:34, Flags: FPRIA

If you remember the story from the beginning, you will recognize the "krbtgt" to be the Ticket-granting Ticket.

The meanings of each flag letter produced by the klist switch -f are not important at this stage, but long-term it is useful to get into the habit of using -f, and the flag descriptions can be looked up in the manpage klist(1).

All great. Let's run kdestroy to terminate the ticket now.

To actually use Kerberos, we need to install kerberized versions of the standard services.

Each service may support Kerberos authentication either by having native Kerberos support, or by delegating the authentication work to the PAM subsystem (and since all relevant services support PAM, this means it is possible to Kerberize all network services).

In the APT repository you will find packages like dns-ftpd, krb5-telnetd and krb5-rsh-server. Those are replacement services for ftp, telnet and rsh with native Kerberos (and encryption) support.

So let's install krb5-rsh-server and ensure that it runs. It is started from inetd, so inetd must be installed and running as well, and the kshell and eklogin services need to be enabled in /etc/inetd.conf:

sudo apt-get install openbsd-inetd krb5-rsh-server

sudo update-rc.d -f openbsd-inetd remove
sudo update-rc.d openbsd-inetd defaults

sudo update-inetd --enable kshell
sudo update-inetd --enable eklogin

sudo invoke-rc.d openbsd-inetd restart

To connect to a certain service, the service must have a corresponding principal in the Kerberos database. This is because the Kerberos server acts as a trusted 3rd party and performs mutual authentication of the user and the service as explained in the section called “The role of DNS within a network”. The generic service name for telnet, rsh, ssh and related protocols is "host", so let's create the necessary principal with a randomly-generated password. Make sure that you export the key to a keytab file as shown (that is, within the same invocation of kadmin) to save yourself from getting an error about the "Key version number" being incorrect:

sudo kadmin -p root/admin
Authenticating as principal root/admin@SPINLOCK.HR with password.

Password for root/admin@SPINLOCK.HR: PASSWORD

kadmin:  addprinc -policy service -randkey host/monarch.spinlock.hr

Principal "host/monarch.spinlock.hr@SPINLOCK.HR" created.

kadmin:  ktadd -k /etc/krb5.keytab -norandkey host/monarch.spinlock.hr

Entry for principal host/monarch.spinlock.hr with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/monarch.spinlock.hr with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/monarch.spinlock.hr with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/monarch.spinlock.hr with kvno 2, encryption type des-cbc-crc added to keytab WRFILE:/etc/krb5.keytab.

kadmin:  quit

Finally, ensure that this host's keys are also present on the rsh server machine:
If the rsh server and the Kerberos server are the same machine, no additional key export is necessary.
If they are separate machines, log in to the rsh server and connect to kadmind to export the key into the local keytab:

kadmin -p root/admin

ktadd -k /etc/krb5.keytab -norandkey host/monarch.spinlock.hr

Entry for principal host/monarch.spinlock.hr with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/monarch.spinlock.hr with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/monarch.spinlock.hr with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/monarch.spinlock.hr with kvno 2, encryption type des-cbc-crc added to keytab WRFILE:/etc/krb5.keytab.

Let's install kerberized versions of the basic client programs:

sudo apt-get install krb5-clients

One of the client programs, krb5-rsh, will allow you connect to the secure rsh server, automatically and without asking for any user names or passwords. The connection will also be encrypted as long as the -x switch is used.

As we have taken care of all the pre-requisites, we can try connecting:

Obtain Kerberos ticket:

kinit mirko

Password for mirko@SPINLOCK.HR: PASSWORD

Connect:

krb5-rsh -x -PN krb1.spinlock.hr

This rlogin session is encrypting all data transmissions.
Last login: Mon Nov 27 16:49:49 from monarch
Linux monarch 2.4.27-2-686 #1 Mon May 16 17:03:22 JST 2005 i686 GNU/Linux

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.

logout
Connection closed.

Congratulations! You have a working Kerberos setup.

If anything is not working, proceed right to the section called “Troubleshooting Kerberos connection” — it contains an extensive list of possible errors and the corresponding solutions!

If everything is working, then you can skip that section for now and head directly to the section called “PAM configuration”.

krb5-rsh -x -PN krb1.spinlock.hr


Trying krb4 rlogin...
krb_sendauth failed: You have no tickets cached

You have no valid Kerberos tickets, which can be verified by running klist (the output will either be empty or show expired tickets). Obtain a new ticket using kinit:

kinit PRINCIPAL_NAME

krb5-rsh -PN krb1.spinlock.hr


connect to address 192.168.7.12: Connection refused
Trying krb4 rlogin...
connect to address 192.168.7.12: Connection refused
trying normal rlogin (/usr/bin/netkit-rlogin)
exec: No such file or directory

Let's take a look at this. First of all, you can see that krb5-rsh has some fallbacks built-in. It first tries to connect using the Kerberos 5 protocol, then Kerberos 4, and then using the normal, non-kerberized rsh. We are only interested in the krb5 result. If any of the other two methods succeed (the krb4 or plain rsh), it's still not what we want (and you will probably want to disable them somehow, because no one setting up a new Kerberos realm in the 21st century should be running either krb4 or unprotected rsh).

So where's the problem? Assuming that you did everything right (installed krb5-rsh-server and restarted inetd), the problem is very simple. Namely, by default, kerberized servers in Debian do not accept unencrypted connections! So, on next attempt, add -x on the command line.

krb5-rsh -PN -x krb1.spinlock.hr

krb5-rsh -PN -x krb1.spinlock.hr


error getting credentials: Server not found in Kerberos database

As explained in the section called “The role of DNS within a network”, both the users and the services must have an appropriate principal entry in the Kerberos database. While users are in form of NAME/ROLE, services are in form SERVICE-NAME/HOSTNAME. So we need to add a principal for service "host" (common name for all shell services), on host where the service is provided — monarch.spinlock.hr. (Strictly, the service is provided on the server, on krb1.spinlock.hr, but in a single-machine setup, the hostname's FQDN returns monarch.spinlock.hr so we must use that).

Within the same session, you will almost always want to export that principal's key to a keytab file. Exporting will not work as intended if the key was not created in a single kadmin session, so the below solution deletes the existing key (if any), creates it anew and exports it to a file. As to what you need to do with the keytab file after creation — you need to move it from the Kerberos server onto the machine providing the service. If that is the same machine, no moving is necessary.

As most of the errors really boil down to this step, we also take care of re-initializing the ticket properly, to minimize the chance of a mistake:

rm /etc/krb5.keytab

kdestroy

sudo kadmin.local
Authenticating as principal root/admin@SPINLOCK.HR with password.

kadmin.local:  delprinc host/monarch.spinlock.hr
Are you sure you want to delete the principal "host/monarch.spinlock.hr@SPINLOCK.HR"? (yes/no): yes
Principal "host/monarch.spinlock.hr@SPINLOCK.HR" deleted.
Make sure that you have removed this principal from all ACLs before reusing.

kadmin.local:  addprinc -randkey host/monarch.spinlock.hr

WARNING: no policy specified for host/monarch.spinlock.hr@SPINLOCK.HR; defaulting to no policy
Principal "host/monarch.spinlock.hr@SPINLOCK.HR" created.

kadmin.local:  ktadd -k /etc/krb5.keytab -norandkey host/monarch.spinlock.hr

kadmin.local: quit

kinit root/admin

krb5-rsh -PN -x krb1.spinlock.hr


Couldn't authenticate to server: Server rejected authentication (during sendauth exchange)
Server returned error code 60 (Generic error (see e-text))
Error text sent from server: No such file or directory

The above error indicates that we should pay attention to the "e-text" (error text returned to the client). The error text tells us, in kind of a confusing way (since — you see — there is no filename reported), that the /etc/krb5.keytab file on the rsh server is missing altogether. This file needs to exist and contain the service key. The way to obtain the file and the key is to follow the recipe from the section called “Error: Server not found in Kerberos database”.

krb5-rsh -PN -x krb1.spinlock.hr


Couldn't authenticate to server: Server rejected authentication (during sendauth exchange)
Server returned error code 60 (Generic error (see e-text))
Error text sent from server: Key table entry not found

The server did accept the connection, but the e-text "Key table entry not found" indicates that the service principal (created earlier, host/monarch.spinlock.hr) is not listed in the keytab file on rsh server. Follow the recipe in the section called “Error: Server not found in Kerberos database”.

krb5-rsh -PN -x krb1.spinlock.hr


Couldn't authenticate to server: Server rejected authentication (during sendauth exchange)
Server returned error code 60 (Generic error (see e-text))
Error text sent from server: Key version number for principal in key table is incorrect

The service key has changed on the Kerberos server, and the service did not succeed in proving its identity to the Kerberos server — the file /etc/krb5.keytab on the service did not contain the correct key. Have in mind that the key changes if you run ktadd from within the kadmin shell, and the only way to prevent that from happening is to use kadmin.local interface and use ktadd -norandkey in it. If curious, read up on ktadd behavior in kadmin(8). Follow the recipe in the section called “Error: Server not found in Kerberos database”.

kinit root/admin


kinit(v5): Client not found in Kerberos database while getting initial credentials

This is Kerberos way of saying "User not found". You either misspelled the principal name ("root/admin" in this case), or you didn't add the principal to the kerberos database in the first place. Adding a principal is performed using the addprinc command as shown in the section called “Creating first privileged principal” or the section called “Creating first unprivileged principal”.

sudo kadmin -p root/admin


kadmin: Client not found in Kerberos database while initializing kadmin interface

This is Kerberos way of saying "User not found". You either misspelled the principal name ("root/admin" in this case), or you didn't add the principal to the kerberos database in the first place. Adding a principal is performed using the addprinc command as shown in the section called “Creating first privileged principal” or the section called “Creating first unprivileged principal”.

krb5-rsh -PN -x krb1.spinlock.hr


Couldn't authenticate to server: Server rejected authentication (during sendauth exchange)
Server returned error code 31 (Decrypt integrity check failed)
Error text sent from server: Decrypt integrity check failed

This is Kerberos way of saying "Password incorrect". In this case, it means that the service key changed on the server, and your your ticket cache no longer contains the ticket with the correct key. Running kdestroy; kinit should obtain a new ticket and solve the problem.

kadmin: ktadd -k /etc/krb5.keytab host/monarch.spinlock.hr


kadmin: Unsupported key table format version number while adding key to keytab

This usually happens when the local file to which you want to export the key (/etc/krb5.keytab) is in an incorrect format.

The most common reason why this would happen is if you have tried to create an empty file (using touch or similar commands) beforehand, and then export the key into it.

To verify that this is indeed the case, try running klist on the existing file to which you are attempting to export the key:

sudo klist -k /etc/keytab


klist: Unsupported key table format version number while starting keytab scan

The solution is to delete the incorrectly created keytab file, or to choose a different keytab file to which the intended key should be exported.

krb5-rsh -x -PN krb1.spinlock.hr


Couldn't authenticate to server: Server rejected authentication (during sendauth exchange)
Server returned error code 60 (Generic error (see e-text))
Error text sent from server: Wrong principal in request

sudo kadmin -p root/admin

==> kerberos/krb5kdc.log <==
Jan 07 01:47:35 ubuntu krb5kdc[20837](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.7.12: SERVER_NOT_FOUND: root/admin@SPINLOCK.HR for kadmin/krb1.spinlock.hr@SPINLOCK.HR, Server not found in Kerberos database

This error is emitted in the krb5kdc log file when the principal reported (kadmin/krb1.spinlock.hr@SPINLOCK.HR) is missing in the Kerberos database.
It usually happens when you are setting up a Kerberos server using a chosen hostname that does not match the hostname reported by the system command hostname.

Add the missing kadmin principal as follows:

sudo kadmin.local
Authenticating as principal root/admin@SPINLOCK.HR with password.

kadmin.local:  addprinc -randkey -requires_preauth -allow_tgs_req  kadmin/krb1.spinlock.hr

WARNING: no policy specified for kadmin/krb1.spinlock.hr@SPINLOCK.HR; defaulting to no policy
Principal "kadmin/krb1.spinlock.hr@SPINLOCK.HR" created.

kadmin.local:  quit

sudo kadmin -p root/admin

==> kerberos/krb5kdc.log <==
Jan 07 01:47:35 ubuntu krb5kdc[20837](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.7.12: SERVER_NOT_FOUND: root/admin@SPINLOCK.HR for kadmin/krb1.spinlock.hr@SPINLOCK.HR, Server not found in Kerberos database

This error is emitted in the krb5kdc log file when the principal reported (kadmin/krb1.spinlock.hr@SPINLOCK.HR) is missing in the Kerberos database.
It usually happens when you are setting up a Kerberos server using a chosen hostname that does not match the hostname reported by the system command hostname.

Add the missing kadmin principal as follows:

sudo kadmin.local
Authenticating as principal root/admin@SPINLOCK.HR with password.

kadmin.local:  addprinc -randkey -requires_preauth -allow_tgs_req  kadmin/krb1.spinlock.hr

WARNING: no policy specified for kadmin/krb1.spinlock.hr@SPINLOCK.HR; defaulting to no policy
Principal "kadmin/krb1.spinlock.hr@SPINLOCK.HR" created.

kadmin.local:  quit

krb5-rsh -x -PN krb1.spinlock.hr

klogind: User root/admin@SPINLOCK.HR is not authorized to login to account root.

This error is emitted when the Kerberos principal name ("root/admin") does not exactly match the name of the user account to which it wants to log in to ("root"), and when the login allowance for that principal has not been added to file ~/.k5login.

To add the permission, add the principal's full name to the file ~/.k5login in the target account's home directory:

echo 'root/admin@SPINLOCK.HR' >> ~root/.k5login

account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so
account requisite                       pam_deny.so
account required                        pam_permit.so
account required                        pam_krb5.so minimum_uid=1000

auth    [success=2 default=ignore]      pam_krb5.so minimum_uid=1000
auth    [success=1 default=ignore]      pam_unix.so nullok_secure try_first_pass
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so

password        [success=2 default=ignore]      pam_krb5.so minimum_uid=1000
password        [success=1 default=ignore]      pam_unix.so obscure use_authtok try_first_pass sha512
password        requisite                       pam_deny.so
password        required                        pam_permit.so

session [default=1]                     pam_permit.so
session requisite                       pam_deny.so
session required                        pam_permit.so
session optional                        pam_krb5.so minimum_uid=1000
session required        pam_unix.so