{"id":1065,"date":"2010-11-18T21:31:39","date_gmt":"2010-11-18T21:31:39","guid":{"rendered":"http:\/\/mccltd.net\/blog\/?p=1065"},"modified":"2011-04-18T14:50:07","modified_gmt":"2011-04-18T13:50:07","slug":"kerberos-realms-usage","status":"publish","type":"post","link":"http:\/\/darenmatthews.com\/blog\/?p=1065","title":{"rendered":"Kerberos Realms Usage"},"content":{"rendered":"
\n

In order to authenticate against Kerberos realms and perform remote administration, the system must have the krb5-workstation<\/em> package installed.<\/p>\n

\n

Adding principals with kadmin<\/h2>\n

Use kadmin<\/strong> to add and manage principals. The example below creates a principal for testuser@MYREALM<\/em>:<\/p>\n

[root@kdc ~]# \/usr\/kerberos\/sbin\/kadmin -p root\/admin@MYREALM \\<\/strong>\r\n              -q 'add_principal testuser@MYREALM'<\/strong>\r\nAuthenticating as principal root\/admin@MYREALM with password.\r\nPassword for root\/admin@MYREALM:principalpass\r\nWARNING: no policy specified for testuser@MYREALM; defaulting to no policy\r\nEnter password for principal \"testuser@MYREALM\":testuser<\/strong>\r\nRe-enter password for principal \"testuser@MYREALM\":testuser<\/strong>\r\nPrincipal \"testuser@MYREALM\" created.\r\n[root@kdc ~]#<\/pre>\n
Note:<\/span> The password for the root\/admin@MYREALM<\/em> principal was defined at the time of it’s creation in the previous subsection.<\/div>\n<\/div>\n
\n
Authenticating a principal<\/h2>\n
Use kinit<\/strong> to request a Ticket-Granting Ticket<\/em> (TGT), klist<\/strong> to list current tickets, and kdestroy<\/strong> to destroy the credential cache:<\/p>\n
[root@host ~]# klist<\/strong>\r\nklist: No credentials cache found (ticket cache FILE:\/tmp\/krb5cc_0)\r\n\r\nKerberos 4 ticket cache: \/tmp\/tkt0\r\nklist: You have no tickets cached\r\n[root@host ~]# kinit testuser@MYREALM<\/strong>\r\nPassword for testuser@MYREALM:principalpass<\/strong>\r\n[root@host ~]# klist<\/strong>\r\nTicket cache: FILE:\/tmp\/krb5cc_0\r\nDefault principal: testuser@MYREALM\r\n\r\nValid starting     Expires            Service principal\r\n10\/03\/08 09:34:06  10\/04\/08 09:34:06  krbtgt\/MYREALM@MYREALM<\/strong>\r\n\r\nKerberos 4 ticket cache: \/tmp\/tkt0\r\nklist: You have no tickets cached\r\n[root@host ~]# kdestroy<\/strong>\r\n[root@host ~]# klist<\/strong>\r\nklist: No credentials cache found (ticket cache FILE:\/tmp\/krb5cc_0)\r\n\r\nKerberos 4 ticket cache: \/tmp\/tkt0\r\nklist: You have no tickets cached\r\n[root@host ~]#<\/pre>\n
Note:<\/span> The password for the testuser@MYREALM<\/em> principal was defined in the previous section. The example above can be executed on any host that was previously configured as a client for the MYREALM<\/em> realm.<\/div>\n<\/div>\n
\n
Configuring the system for Single Sign-on using Kerberos<\/h2>\n
The configuration for a Single Sign-on solution using Kerberos is not the primary objective of this writing, but there are a few points that are worth noting when pursuing such environment, listed:<\/p>\n