DOC HOME SITE MAP MAN PAGES GNU INFO SEARCH
 

(heimdal.info.gz) Providing Kerberos credentials to servers and programs

Info Catalog (heimdal.info.gz) Using LDAP to store the database (heimdal.info.gz) Setting up a realm (heimdal.info.gz) Setting up PK-INIT 
 
 4.17 Providing Kerberos credentials to servers and programs
 ===========================================================
 
 Some services require Kerberos credentials when they start to make
 connections to other services or need to use them when they have
 started.
 
 The easiest way to get tickets for a service is to store the key in a
 keytab. Both ktutil get and kadmin ext can be used to get a keytab.
 ktutil get is better in that way it changes the key/password for the
 user. This is also the problem with ktutil. If ktutil is used for the
 same service principal on several hosts, they keytab will only be
 useful on the last host. In that case, run the extract command on one
 host and then securely copy the keytab around to all other hosts that
 need it.
 
      host# ktutil -k /etc/krb5-service.keytab \
            get -p lha/admin@EXAMPLE.ORG service-principal@EXAMPLE.ORG
      lha/admin@EXAMPLE.ORG's Password:
 
 To get a Kerberos credential file for the service, use kinit in the
 `--keytab' mode. This will not ask for a password but instead fetch the
 key from the keytab.
 
      service@host$ kinit --cache=/var/run/service_krb5_cache \
                     --keytab=/etc/krb5-service.keytab \
             service-principal@EXAMPLE.ORG
 
 Long running services might need credentials longer then the expiration
 time of the tickets. kinit can run in a mode that refreshes the tickets
 before they expire. This is useful for services that write into AFS and
 other distributed file systems using Kerberos. To run the long running
 script, just append the program and arguments (if any) after the
 principal. kinit will stop refreshing credentials and remove the
 credentials when the script-to-start-service exits.
 
      service@host$ kinit --cache=/var/run/service_krb5_cache \
             --keytab=/etc/krb5-service.keytab \
             service-principal@EXAMPLE.ORG \
             script-to-start-service argument1 argument2
Info Catalog (heimdal.info.gz) Using LDAP to store the database (heimdal.info.gz) Setting up a realm (heimdal.info.gz) Setting up PK-INIT
automatically generated byinfo2html