Configuring the Kerberos Environment
Configuring the Kerberos Client
Configuring the Kerberos Client
To configure the Kerberos Client, complete the following steps:
1.Edit the configuration files, /etc/krb5.conf and /etc/services as described in “Configuration Files for Kerberos Clients” on page 77.
2.All Kerberos systems need a KEYTAB file (/etc/krb5.keytab) to authenticate themselves to the KDC. Create a KEYTAB file for each KDC client on your KDC Server.
3.Transfer (ftp) the KEYTAB file from the KDC Server to the client without overwriting any keys installed for other applications. For example, use /tmp/hostname.keytab as the temporary destination filename. Use the Kerberos utility ktutil to merge the KEYTAB data.
The following example shows how to merge the keytab using ktutil: $ /usr/sbin/ktutil
ktutil: rkt /tmp/hostname.key
ktutil: list
You can view the KEYTAB file using klist command. For example:
# klist
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
-
2 host/hostname.domain.com@KDC.SUBDOMAIN.DOMAIN.COM
4.If the UNIX users do not exist, add the equivalent KDC users as UNIX users in the UNIX /etc/passwd password file. When creating a credential file for a user, the user’s entry in the /etc/passwd is accessed for its UID number.
5.Synchronize the KDC client’s clock to the KDC server’s clock (within two minutes).
Chapter 3 | 87 |