4.1 - Authenticate with kinit on Linux¶
Setup¶
You first have to make sure kinit is installed.
You can check that by typing kinit in a console :
$ kinit --version kinit (Heimdal 1.4.1apple1) Copyright 1995-2010 Kungliga Tekniska Högskolan Send bug-reports to heimdal-bugs@h5l.org $
Then, you have to configure the krb5.conf file (it can be found in /etc/krb5.conf, if not just add it).
A minimal /etc/krb5.conf file looks as follows (make sure the port and host name matches!):
[libdefaults] default_realm = EXAMPLE.COM [realms] EXAMPLE.COM = { kdc = example.net:60088 } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM
Check that the Kerberos sevrer is started, then try to get a ticket from a user that exists in the base (here, we use hnelson, which is a user we created for test purposes. His password is 'secret')
$ kinit hnelson@EXAMPLE.COM Password for hnelson@EXAMPLE.COM: $
You should not get any error. If you've get some, see later in this chapter.
Now, let's check that we have correctly obtained a ticket. We will use the klist tool for that :
$ klist -v Credentials cache: API:501:9 Principal: hnelson@EXAMPLE.COM Cache version: 0 Server: krbtgt/EXAMPLE.COM@EXAMPLE.COM Client: hnelson@EXAMPLE.COM Ticket etype: aes128-cts-hmac-sha1-96 Ticket length: 256 Auth time: Feb 11 16:11:36 2013 End time: Feb 12 02:11:22 2013 Renew till: Feb 18 16:11:36 2013 Ticket flags: pre-authent, initial, renewable, forwardable Addresses: addressless $
As we can see, we have obtained a ticket which will expire 6 hours after its creation, which can be renexed for 7 days, encrypted using AES-128 algorithm, ticket that can be used by the TGS.
All is good !
Troubleshooting¶
So it does not work...
There are many possible reason why you can't get a ticket.
kinit: krb5_get_init_creds: unable to reach any KDC in realm EXAMPLE.COM¶
Such a error says that the server is not reachable. Check those points :
- Is the server started ?
- Is the EXAMPLE.COM domain declared in your DNS (or /etc/hosts file) ?