diff --git a/machines/kerberos.metznet.ca.scm b/machines/kerberos.metznet.ca.scm
index e9423a9..5f8f623 100644
--- a/machines/kerberos.metznet.ca.scm
+++ b/machines/kerberos.metznet.ca.scm
@@ -261,6 +261,8 @@ cryptography.")
 (define (kdc-etc configuration)
   `(("kdc.conf" ,(serialize-kdc-configuration configuration))))
 
+
+; TODO: have to stash the KDC master key with `KRB5_KDC_PROFILE=/etc/kdc.conf kdb5_util stash` on first boot
 (define (kdc-shepherd configuration)
   (list (shepherd-service (documentation "")
                           (provision '(krb5kdc))
@@ -278,8 +280,8 @@ cryptography.")
                                                                         configuration)
                                                                      "/lib/krb5/plugins/kdb")
                                                                "KRB5_KDC_PROFILE=/etc/kdc.conf")
-                                                              #:user "kerberos"
-                                                              #:group "kerberos"))
+                                                              #:user "root"
+                                                              #:group "root"))
                           (stop #~(make-kill-destructor)))))
 
 (define kdc-service-type
@@ -299,6 +301,7 @@ cryptography.")
 (operating-system
   (inherit %metznet-base-server-system)
   (host-name "kerberos-guix.metznet.ca")
+  (packages (append (list mit-krb5-ldap) %metznet-base-packages))
   (services
    (append (list (service kdc-service-type
                           (kdc-configuration (dbdefaults '("ldap_kerberos_container_dn = cn=kerberos,dc=metznet,dc=ca"))