The initial requirement is that your local LINUX accounts correspond to kerberos principal names.
To start install krb5 packages
yum install krb5-workstation
Then you need to ask kerberos admin to create “host/<mgm hostname>@EXAMPLE.COM”, where EXAMPE.COM is your REALM (like CERN.CH, SASKE.SK, ...) and create a keytab file, for example krb5.keytab. The keytab file is stored under /etc/krb5.keytab on the MGM node. To test it you can use ktutil command. The following example is showing keytab contents to be used on MGM host eosfoo.bar.ch@BAR.CH
[root@eosfoo.bar.ch ~]# ktutil
ktutil:
ktutil: read_kt /etc/krb5.keytab
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 2 host/eosfoo.bar.ch@BAR.CH
2 2 host/eosfoo.bar.ch@BAR.CH
3 2 host/eosfoo.bar.ch@BAR.CH
4 2 host/eosfoo.bar.ch@BAR.CH
On the MGM in /etc/xrd.cf.mgm you have to enable kerberos 5 authentication
sec.protocol krb5 host/<host>@EXAMPLE.COM
sec.protbind * only krb5 sss unix
To enable krb5 security mapping of user names you do
eos -b vid enable krb5