My setup includes two laptop machines running Fedora OS. They both are connected to my wireless router under same subnet. Note that most of the time you do not need to do configure KDC server at all, your enterprise already may be configured with it, you need to ask your operation guys on how to get the keytabs or how to use SSO without keytabs.

For simplicity sake, I edited "/etc/hosts" file added following lines

192.168.1.76 primary.example.com
192.168.1.98 secondary.example.com

Most of you already may have your enterprise kerberos system installed and configured to go, however in for my testing I had to install kerberoes server. I took instructions from http://fedoraproject.org/wiki/Kerberos_KDC_Quickstart_Guide here. On my "secondary.example.com" machine, with root permissions

yum -y install krb5-libs krb5-server krb5-workstation

Once the installation is complete, I needed to create database for the kerberos credentials, typically enterprises may attach to LDAP etc, for my test case that is not important, so a simple local store is sufficient. To achieve that execute

kdb5_util create -s

Typically when the time difference between machine is off, kerbeors gives issues, so you can synchronize time using NTP, for that execute

yum install ntp
service ntpd restart

Edit the "/var/kerberos/krb5kdc/kadm5.acl" to look like

*/admin *

now edit the "/etc/krb5.conf" file, and it should look like

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = EXAMPLE.COM

[realms]
EXAMPLE.COM = {
  kdc = secondary.example.com:88
  admin_server = secondary.example.com:749
}

[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM

Now edit firewall permissions and allow "kerberos", for my setting, I used graphical management tool that come with fedora to accomplish that. Then start the kerberos server using following commands

/sbin/service krb5kdc start
/sbin/service kadmin start

Now we are ready to create users in the kerberos, to begin with we need a "root" user, you can add that by issuing

kadmin.local -q "addprinc root/admin"

Now login with "root" user in kadmin to create another user

kadmin.local -p root/admin

Then at the command prompt, to add a user say "rareddy", issue command

ank alice
ank bob/primary.example.com

You can also view all the users in the system by issuing

listprincs

you will see users like

root/admin@EXAMPLE.COM
alice@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
bob/primary.example.com@EXAMPLE.COM

Here I am going to use "bob/primary.example.com@EXAMPLE.COM" user as Service Provider Principle (SPN). In Kerberos, there are three systems, one is client user (that is you, ex: alice), second is where the service is running (JBoss EAP) and then the kerberos server itself. In order to get access to the service user need to use their kerberos authentication, however user needs to specify which service he/she requesting the token to be granted for but using SPN.  Using the combination of user token and SPN the access is negotiated with the service.

To proceed we need to create a keytab, which holds the credentials. To create a keytab, execute below on kadmin console

ktadd -k /path/to/bob.keytab  bob/primary.example.com
ktadd -k /path/to/alice.keytab alice

Now kerberoes is all setup, copy the "bob.keytab" to the system where the service is being installed, and "alice.keytab" to the client system where the call to the service is being made. In my case it was "primary.example.com" machine and service was being done in JBoss EAP.https://docs.jboss.org/author/display/TEIID/Installation+Guide Also copy the "/etc/krb5.conf" file to this machine to a chosen location.