diff --git a/modules/module-list.nix b/modules/module-list.nix
index 7bc98858506d..537e61814690 100644
--- a/modules/module-list.nix
+++ b/modules/module-list.nix
@@ -110,6 +110,7 @@
   ./services/system/dbus.nix
   ./services/system/nscd.nix
   ./services/system/uptimed.nix
+  ./services/system/kerberos.nix
   ./services/ttys/gpm.nix
   ./services/ttys/mingetty.nix
   ./services/web-servers/apache-httpd/default.nix
diff --git a/modules/services/networking/xinetd.nix b/modules/services/networking/xinetd.nix
index 4729ba9d2e4f..5b74d7e420a4 100644
--- a/modules/services/networking/xinetd.nix
+++ b/modules/services/networking/xinetd.nix
@@ -26,6 +26,7 @@ let
       {
         protocol    = ${srv.protocol}
         ${optionalString srv.unlisted "type        = UNLISTED"}
+        ${optionalString (srv.flags != "") "flags = ${srv.flags}"}
         socket_type = ${if srv.protocol == "udp" then "dgram" else "stream"}
         ${if srv.port != 0 then "port        = ${toString srv.port}" else ""}
         wait        = ${if srv.protocol == "udp" then "yes" else "no"}
@@ -98,6 +99,12 @@ in
           description = "Command-line arguments for the server program.";
         };
 
+        flags = mkOption {
+          type = types.string;
+          default = "";
+          description = "";
+        };
+
         unlisted = mkOption {
           type = types.bool;
           default = false;
diff --git a/modules/services/system/kerberos.nix b/modules/services/system/kerberos.nix
new file mode 100644
index 000000000000..4ca9a0169bf9
--- /dev/null
+++ b/modules/services/system/kerberos.nix
@@ -0,0 +1,71 @@
+{pkgs, config, ...}:
+
+let
+
+  inherit (pkgs.lib) mkOption mkIf singleton;
+
+  inherit (pkgs) heimdal;
+
+  stateDir = "/var/heimdal";
+in
+
+{
+
+  ###### interface
+  
+  options = {
+  
+    services.kerberos_server = {
+
+      enable = mkOption {
+        default = false;
+        description = ''
+          Enable the kerberos authentification server.
+        '';
+      };
+
+    };
+
+  };
+
+
+  ###### implementation
+
+  config = mkIf config.services.kerberos_server.enable {
+  
+    environment.systemPackages = [ heimdal ];
+  
+    services.xinetd.enable = true;
+    services.xinetd.services = pkgs.lib.singleton
+      { name = "kerberos-adm";
+        flags = "REUSE NAMEINARGS";
+        protocol = "tcp";
+        user = "root";
+        server = "${pkgs.tcpWrapper}/sbin/tcpd";
+        serverArgs = "${pkgs.heimdal}/sbin/kadmind";
+      };
+
+    jobs.kdc =
+      { description = "Kerberos Domain Controller daemon";
+
+        startOn = "ip-up";
+
+        preStart =
+          ''
+            mkdir -m 0755 -p ${stateDir}
+          '';
+
+        exec = "${heimdal}/sbin/kdc";
+
+      };
+
+    jobs.kpasswdd =
+      { description = "Kerberos Domain Controller daemon";
+
+        startOn = "ip-up";
+
+        exec = "${heimdal}/sbin/kpasswdd";
+      };
+  };
+  
+}