ApacheDS 2.0
Downloads
Documentation
- Basic User Guide
- Advanced User Guide
- Developer Guide
- Kerberos User Guide
- Configuration
- JavaDocs
- Cross-Reference
Support
Community
About Apache
4.1 - Authenticate with kinit on Linux
##Setup
You first have to make sure kinit is installed.
You can check that by typing kinit in a console :
$ kinit --version
kinit (Heimdal 1.4.1apple1)
Copyright 1995-2010 Kungliga Tekniska Högskolan
Send bug-reports to heimdal-bugs@h5l.org
$
Then, you have to configure the krb5.conf file (it can be found in /etc/krb5.conf, if not just add it).
A minimal /etc/krb5.conf file looks as follows (make sure the port and host name matches!):
[libdefaults]
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
kdc = example.net:60088
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
Check that the Kerberos sevrer is started, then try to get a ticket from a user that exists in the base (here, we use hnelson, which is a user we created for test purposes. His password is ‘secret’)
$ kinit hnelson@EXAMPLE.COM
Password for hnelson@EXAMPLE.COM:
$
You should not get any error. If you’ve get some, see later in this chapter.
Now, let’s check that we have correctly obtained a ticket. We will use the klist tool for that :
$ klist -v
Credentials cache: API:501:9
Principal: hnelson@EXAMPLE.COM
Cache version: 0
Server: krbtgt/EXAMPLE.COM@EXAMPLE.COM
Client: hnelson@EXAMPLE.COM
Ticket etype: aes128-cts-hmac-sha1-96
Ticket length: 256
Auth time: Feb 11 16:11:36 2013
End time: Feb 12 02:11:22 2013
Renew till: Feb 18 16:11:36 2013
Ticket flags: pre-authent, initial, renewable, forwardable
Addresses: addressless
$
As we can see, we have obtained a ticket which will expire 6 hours after its creation, which can be renexed for 7 days, encrypted using AES-128 algorithm, ticket that can be used by the TGS.
All is good !
Troubleshooting
So it does not work…
There are many possible reason why you can’t get a ticket.
kinit: krb5_get_init_creds: unable to reach any KDC in realm EXAMPLE.COM
Such a error says that the server is not reachable. Check those points :
- Is the server started ?
- Is the EXAMPLE.COM domain declared in your DNS (or /etc/hosts file) ?