| Title: 4.1 - Authenticate with kinit on Linux |
| NavPrev: 4-using-kerberos |
| NavPrevText: 4 - Using Kerberos |
| NavUp: 4-using-kerberos.html |
| NavUpText: 4 - Using Kerberos |
| NavNext: 4.2-authenticate-studio.html |
| NavNextText: 4.2 - Authenticate with Studio |
| Notice: Licensed to the Apache Software Foundation (ASF) under one |
| or more contributor license agreements. See the NOTICE file |
| distributed with this work for additional information |
| regarding copyright ownership. The ASF licenses this file |
| to you under the Apache License, Version 2.0 (the |
| "License"); you may not use this file except in compliance |
| with the License. You may obtain a copy of the License at |
| . |
| http://www.apache.org/licenses/LICENSE-2.0 |
| . |
| Unless required by applicable law or agreed to in writing, |
| software distributed under the License is distributed on an |
| "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| KIND, either express or implied. See the License for the |
| specific language governing permissions and limitations |
| under the License. |
| |
| # 4.1 - Authenticate with kinit on Linux |
| |
| ##Setup |
| |
| You first have to make sure **kinit** is installed. |
| |
| You can check that by typing **kinit** in a console : |
| |
| :::text |
| $ kinit --version |
| kinit (Heimdal 1.4.1apple1) |
| Copyright 1995-2010 Kungliga Tekniska Hรถgskolan |
| Send bug-reports to heimdal-bugs@h5l.org |
| $ |
| |
| Then, you have to configure the **krb5.conf** file (it can be found in **/etc/krb5.conf**, if not just add it). |
| |
| |
| A minimal /etc/krb5.conf file looks as follows (make sure the port and host name matches!): |
| |
| :::text |
| [libdefaults] |
| default_realm = EXAMPLE.COM |
| |
| [realms] |
| EXAMPLE.COM = { |
| kdc = example.net:60088 |
| } |
| |
| [domain_realm] |
| .example.com = EXAMPLE.COM |
| example.com = EXAMPLE.COM |
| |
| |
| Check that the **Kerberos** sevrer is started, then try to get a ticket from a user that exists in the base (here, we use hnelson, which is a user we created for test purposes. His password is 'secret') |
| |
| :::text |
| $ kinit hnelson@EXAMPLE.COM |
| Password for hnelson@EXAMPLE.COM: |
| $ |
| |
| You should not get any error. If you've get some, see later in this chapter. |
| |
| Now, let's check that we have correctly obtained a ticket. We will use the **klist** tool for that : |
| |
| :::text |
| $ klist -v |
| Credentials cache: API:501:9 |
| Principal: hnelson@EXAMPLE.COM |
| Cache version: 0 |
| |
| Server: krbtgt/EXAMPLE.COM@EXAMPLE.COM |
| Client: hnelson@EXAMPLE.COM |
| Ticket etype: aes128-cts-hmac-sha1-96 |
| Ticket length: 256 |
| Auth time: Feb 11 16:11:36 2013 |
| End time: Feb 12 02:11:22 2013 |
| Renew till: Feb 18 16:11:36 2013 |
| Ticket flags: pre-authent, initial, renewable, forwardable |
| Addresses: addressless |
| $ |
| |
| As we can see, we have obtained a ticket which will expire 6 hours after its creation, which can be renexed for 7 days, encrypted using AES-128 algorithm, ticket that can be used by the **TGS**. |
| |
| All is good ! |
| |
| ## Troubleshooting |
| |
| So it does not work... |
| |
| There are many possible reason why you can't get a ticket. |
| |
| ### kinit: krb5_get_init_creds: unable to reach any KDC in realm EXAMPLE.COM |
| |
| Such a error says that the server is not reachable. Check those points : |
| |
| * Is the server started ? |
| * Is the EXAMPLE.COM domain declared in your DNS (or /etc/hosts file) ? |