Configuring A Kerberos 5 Client - Red Hat ENTERPRISE LINUX 3 Reference Manual

Chapter 18. Kerberos
8. Verify that the KDC is issuing tickets. First, run
tial cache file. Next, use
destroy the cache and the credentials it contains.
Note
By default,
logging into the system (not the Kerberos server). If that user name does not correspond to
a principal in the Kerberos database,
with the name of the correct principal as an argument on the command line (
kinit
principal
Once these steps are completed, the Kerberos server should be up and running.
18.6. Configuring a Kerberos 5 Client
Setting up a Kerberos 5 client is less involved than setting up a server. At a minimum, install the client
packages and provide each client with a valid
and also requires some configuration changes.
rsh rlogin
1. Be sure that time synchronization is in place between the Kerberos client and the KDC. Refer to
Section 18.5 Configuring a Kerberos 5 Server for more information. In addition, verify that DNS
is working properly on the Kerberos client before configuring the Kerberos client programs.
2. Install the
krb5-libs
a valid
/etc/krb5.conf
by the KDC).
3. Before a workstation in the realm can allow users to connect using kerberized
that workstation needs to have the
the Kerberos database. The
for their service's principal.
Using
kadmin
is the hostname of the workstation. Use the
command to create the principal and assign it a random key:
addprinc -randkey host/blah.example.com
Now that the principal has been created, keys can be extracted for the workstation by running
on the workstation itself , and using the
kadmin
ktadd -k /etc/krb5.keytab host/blah.example.com
4. To use other kerberized network services they need to be started. Below is a list of some of the
more common kerberized services and instructions about enabling them:
and
• rsh rlogin
, and
eklogin
Telnet — To use kerberized Telnet,
•
FTP — To provide FTP access, create and extract a key for the principal with a root of
•
Be certain to set the instance to the fully qualified hostname of the FTP server, then enable
.
gssftp
IMAP — The IMAP server included in the
•
Kerberos 5 if it finds the proper key in
be .
imap
to view the list of credentials in the cache and use
klist
attempts to authenticate using the login user name of the account used when
kinit
).
and
krb5-workstation
file for each client (usually this can be the same
xinetd
and
kshd
, add a host principal for the workstation on the KDC. The instance in this case
— To use the kerberized versions of
.
kshell
to obtain a ticket and store it in a creden-
kinit
issues an error message. If that happens, supply
kinit
configuration file. Kerberized versions of
krb5.conf
packages on all of the client machines. Supply
package installed and have its own host principal in
server programs also need access to the keys
klogind
option for the
-randkey
command within
ktadd
must be enabled.
krb5-telnet
package uses GSS-API authentication using
imap
/etc/krb5.keytab
krb5.conf
rsh
kadmin
kadmin
and , enable
rsh rlogin
. The root for the principal should
271
to
kdestroy
kinit
file used
and ,
rlogin
's
addprinc
:
,
klogin
.
ftp