Be sure that you have clock synchronization and DNS working on your server before installing
Kerberos 5. Pay particular attention to time synchronization between the Kerberos server and its various clients.

here are the DNS entries for the kerberos server:

$ORIGIN .
$TTL 86400      ; 1 day
example.com        IN SOA  sunlight.example.com. florin.example.com. (
                                2001042703 ; serial
                                86400      ; refresh (1 day)
                                21600      ; retry (6 hours)
                                3600000    ; expire (5 weeks 6 days 16 hours)
                                3600       ; minimum (1 hour)
                                )
                        NS      sunlight.example.com.
$ORIGIN example.com.
$TTL 86400      ; 1 day
localhost               A               127.0.0.1
sunlight                A               192.168.2.178
kerberos                A               192.168.2.178
moonlight               A               192.168.2.23

; Master setup
_kerberos               IN      TXT     "EXAMPLE.COM"
_kerberos-master._udp   IN      SRV     0 0 88 kerberos
_kerberos-adm._tcp      IN      SRV     0 0 749 kerberos
_kpasswd._udp           IN      SRV     0 0 464 Kerberos
;
; Round-robin setup
_kerberos._udp          IN      SRV     0 0 88 kerberos

2. PACKAGES

Install the krb5-server and krb5-libs packages

3. CONFIGURATION FILES

Adapt the following configuration files to your needs:
        /etc/krb5.conf
        /etc/kerberos/krb5kdc/kdc.conf
        /etc/kerberos/krb5kdc/kadm5.acl

According to the kadm5.acl file, all the principals with instance of admin will have all the rights.

NOTE:

in the /etc/krb5.conf file you have these lines:
 default_tgs_enctypes = des-cbc-crc
 default_tkt_enctypes = des-cbc-crc
 permitted_enctypes = des-cbc-crc

and in the /etc/kerberos/krb5kdc/kdc.conf file
master_key_type = des-cbc-crc
supported_enctypes = des-cbc-crc:normal des-cbc-crc:v4

If you want to support DES3 encryption, add des3-hmac-sha1. So you'll get:
in the /etc/krb5.conf file :
 default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
 default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
 permitted_enctypes = des3-hmac-sha1 des-cbc-crc

and in the /etc/kerberos/krb5kdc/kdc.conf file
master_key_type = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1: normal des-cbc-crc:normal des-cbc-crc:v4

The ftp client coming with the packages won't support des3 encrytion.
So, adapt these files to your needs, before continuing.

4. Kerberos DATABASE

Create the Kerberos database and choose a password:
[root@sunlight root]#/usr/sbin/kdb5_util create -r EXAMPLE.COM -s
Initializing database '/etc/kerberos/krb5kdc/principal' for realm 'EXAMPLE.COM',
master key name 'K/M@EXAMPLE.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:

5. PRINCIPALS

Create your first principal:
[root@sunlight root]# kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local:  addprinc florin/admin
and you'll get:
WARNING: no policy specified for florin/admin@EXAMPLE.COM; defaulting to no policy
Enter password for principal "florin/admin@EXAMPLE.COM":
Re-enter password for principal "florin/admin@EXAMPLE.COM":
Principal "florin/admin@EXAMPLE.COM" created.

The question mark will give you the list of the commands available
kadmin.local:?
Available kadmin.local requests:

add_principal, addprinc, ank
                         Add principal
delete_principal, delprinc
                         Delete principal
modify_principal, modprinc
                         Modify principal
change_password, cpw     Change password
get_principal, getprinc  Get principal
list_principals, listprincs, get_principals, getprincs
                         List principals
add_policy, addpol       Add policy
modify_policy, modpol    Modify policy
delete_policy, delpol    Delete policy
get_policy, getpol       Get policy
list_policies, listpols, get_policies, getpols
                         List policies
get_privs, getprivs      Get privileges
ktadd, xst               Add entry(s) to a keytab
ktremove, ktrem          Remove entry(s) from a keytab
list_requests, lr, ?     List available requests.
quit, exit, q            Exit program.
 

6. SERVICES

Restart the /etc/init.d/krb5server service
[root@sunlight kerberos]# /etc/init.d/krb5server restart
Stopping Kerberos 5-to-4 Server                            [ERROR]
Stopping Kerberos 5 Admin Server                           [ERROR]
Stopping Kerberos 5 KDC                                    [ERROR]
Extracting kadm5 Service Keys
Authenticating as principal root/admin@EXAMPLE.COM with password.
Entry for principal kadmin/admin with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/admin with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/kerberos/krb5kdc/kadm5.keytab.
                                                           [  OK  ]
Starting Kerberos 5 KDC
Starting Kerberos 5 Admin Server
Starting Kerberos 5-to-4 Server                            [  OK  ]

7. other PRINCIPALS

Now, we'll create some more principals: florin, root/admin, root and choose their passwords.
kadmin.local:  addprinc florin/sunlight.example.com
...
Lets verify it:
kadmin.local:  listprincs
K/M@EXAMPLE.COM
florin/admin@EXAMPLE.COM
florin@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/history@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
root/admin@EXAMPLE.COM
root@EXAMPLE.COM

This can be done from the shell whith the kadmin.local -q "ktadd host/sunlight.example.com" command. This way could be used to create scripts.

here is the script called create-everything.sh
#!/bin/sh
kadmin.local -q "addprinc florin";
kadmin.local -q "addprinc root/admin";
kadmin.local -q "addprinc root";
kadmin.local -q "addprinc -randkey host/sunlight.example.com";
kadmin.local -q "ktadd host/sunlight.example.com";
kadmin.local -q "addprinc -randkey telnet/sunlight.example.com";
kadmin.local -q "ktadd telnet/sunlight.example.com";
kadmin.local -q "addprinc -randkey ftp/sunlight.example.com";
kadmin.local -q "ktadd ftp/sunlight.example.com";

you can launch it with the sh create-everything.sh command.

8. TELNET and FTP services

The kerberos server is called sunlight.example.com and we'd like to provide
telnet and ftp services to the kerberos clients.

Create principals for that purpose:
kadmin.local:  addprinc -randkey host/sunlight.example.com
WARNING: no policy specified for host/sunlight.example.com@EXAMPLE.COM; defaulting to no policy
Principal "host/sunlight.example.com@EXAMPLE.COM" created.
kadmin.local:  ktadd host/sunlight.example.com
and you'll get:
Entry for principal ftp/sunlight.example.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal ftp/sunlight.example.com with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.

If you don't specify the key, the /etc/krb5.keytab keytab file will be created and used.
The klist -k command will list the keytabs present in your keytab file:
[root@sunlight root]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   4 host/sunlight.example.com@EXAMPLE.COM
   4 host/sunlight.example.com@EXAMPLE.COM
   5 telnet/sunlight.example.com@EXAMPLE.COM
   5 telnet/sunlight.example.com@EXAMPLE.COM
   3 host/kerberos.example.com@EXAMPLE.COM
   3 host/kerberos.example.com@EXAMPLE.COM
   3 telnet/kerberos.example.com@EXAMPLE.COM
   3 telnet/kerberos.example.com@EXAMPLE.COM

9. TELNET and FTP clients

In order to connect yourself from a client (here moonlight) to the telnet/ftp server (here sunlight, which, incidentally, is also the kerberos server) you should first get a a ticket with the kinit command.

[florin@moonlight florin]$ kinit
Password for florin@EXAMPLE.COM:
[florin@moonlight florin]$ klist -5
Ticket cache: FILE:/tmp/krb5cc_501
Default principal: florin@EXAMPLE.COM

Valid starting     Expires            Service principal
08/07/01 16:14:44  08/08/01 02:10:39  krbtgt/EXAMPLE.COM@EXAMPLE.COM
[florin@moonlight florin]$ telnet -a -x -f kerberos
Trying 192.168.2.178...
Connected to sunlight.example.com (192.168.2.178).
Escape character is '^]'.
[ Kerberos V5 accepts you as ``florin@EXAMPLE.COM'' ]
Last login: Tue Aug  7 16:11:42 from moonlight
[florin@sunlight florin]$
 

seems to be working ...

For ftp, simply run the ftp command, after adding the ftp/f.q._host_names principals, their keys.
You can then set protection to private with the protect private command.