(heimdal.info.gz) Providing Kerberos credentials to servers and programs
Info Catalog
(heimdal.info.gz) Using LDAP to store the database
(heimdal.info.gz) Setting up a realm
(heimdal.info.gz) Setting up PK-INIT
4.17 Providing Kerberos credentials to servers and programs
===========================================================
Some services require Kerberos credentials when they start to make
connections to other services or need to use them when they have
started.
The easiest way to get tickets for a service is to store the key in a
keytab. Both ktutil get and kadmin ext can be used to get a keytab.
ktutil get is better in that way it changes the key/password for the
user. This is also the problem with ktutil. If ktutil is used for the
same service principal on several hosts, they keytab will only be
useful on the last host. In that case, run the extract command on one
host and then securely copy the keytab around to all other hosts that
need it.
host# ktutil -k /etc/krb5-service.keytab \
get -p lha/admin@EXAMPLE.ORG service-principal@EXAMPLE.ORG
lha/admin@EXAMPLE.ORG's Password:
To get a Kerberos credential file for the service, use kinit in the
`--keytab' mode. This will not ask for a password but instead fetch the
key from the keytab.
service@host$ kinit --cache=/var/run/service_krb5_cache \
--keytab=/etc/krb5-service.keytab \
service-principal@EXAMPLE.ORG
Long running services might need credentials longer then the expiration
time of the tickets. kinit can run in a mode that refreshes the tickets
before they expire. This is useful for services that write into AFS and
other distributed file systems using Kerberos. To run the long running
script, just append the program and arguments (if any) after the
principal. kinit will stop refreshing credentials and remove the
credentials when the script-to-start-service exits.
service@host$ kinit --cache=/var/run/service_krb5_cache \
--keytab=/etc/krb5-service.keytab \
service-principal@EXAMPLE.ORG \
script-to-start-service argument1 argument2
Info Catalog
(heimdal.info.gz) Using LDAP to store the database
(heimdal.info.gz) Setting up a realm
(heimdal.info.gz) Setting up PK-INIT
automatically generated byinfo2html