Sun OpenSSO Enterprise 8.0 Deployment Planning Guide

Using the Debugging Tools

After you configure the UNIX Kerberos Domain Controller or the and Windows 2003 Active Directory Domain Contoller are configured, you can test them with various tools to validate that they are configured properly.

Network Identity Manager

Network Identity Manager is a graphical tool designed by MIT to simplify the management of network identities and their credentials. When Network Identity Manger is used with Kerberos v5, each network identity is a unique Kerberos principal name, and the credentials are Kerberos version 5 tickets. Network Identity Manger enables you to manage any Kerberos ticket returned from a Kerberos Domain Controller. For detailed information, see the Network Identity Manager 1.3.1 User Documentation.


An administrator can obtain an initial Kerberos ticket for a specified principal using the kinit command, and then cache the initial ticket into the ticket cache. Once kinit is executed successfully, any existing tickets for the principal are overwritten. You can use the kinit command to verify that a generated keytab file is working with the Kerberos and Active Directory Domain Controllers. Usage:

kinit [-5] [-4] [-V] [-l lifetime] [-s start_time]
[-r renewable_life][-f | -F] [-p | -P] [-A] [-v] [-R] [-k [-t keytab_file]] 
[-c cachename] [-S service_name] [principal] 
Table 18–2 kinit Options



Kerberos Version 


Use Kerberos 5 

By default, Kerberos version 5 is used. 


Use Kerberos 4 

4, if available 



4, 5 



4, 5 


Start time 



Renewable lifetime 





Not forwardable  



Can be proxied 


Cannot be proxied 


Do not include addresses  






5, or both 5 and 4  


Use keytab  

5, or both 5 and 4 


Filename of keytab to use  

5, or both 5 and 4 


Kerberos 5 cache name 



5, or both 5 and 4 5.3 


Theklist command displays the contents of a Kerberos credentials cache or key table. You can use the klist command to verifty that the generated keytab file has the right principal for OpenSSO Enterprise. Usage:

klist [-5] [-4] [-e] [[-c] [-f] [-s] [-a [-n]]] [-k [-t] [-K]] [name] -5
Table 18–3 klist Command Options




Use Kerberos 5 


Use Keberos 4 


Specifies credentials cache 


Specifies keytab file 

Default is credentials cache. 


Shows the encryption type options for credential caches:  

  • -f shows credentials flags

  • -s sets exit status based on valid tgt existence

  • -a displays the address list

  • -n do not reverse-resolve options for keytabs:

options for keytabs 

  • -t shows keytab entry timestamps

  • -K shows keytab entry DES keys


You can use the ktpass command to configure services running on UNIX systems to work with with service instance accounts in Active Directory. You can also use the ktpass command to generate Kerberos keytab files for services. Before you map an Active Directory user account with OpenSSO Enterprise, first check the Java version that is configured for OpenSSO. If the Java version is 1.5_08 or higher, you can generate the Kerberos keytab file using all default values for account encryption and cryptosystem. Java versions 1.5_08 or higher support the RC4-HMAC crypto system that is default for the Windows Kerberos Domain Controller. If the Java version is lower than 1.5_08, you have must use the DesOnly option. Options:

Table 18–4 ktpass Command Options



[- or /] out

Keytab to produce  

[- or /] princ

Principal name (user@REALM)  

[- or /] pass

Password to use. Use "*" to prompt for password. 

[- or +] rndPass

Generate a random password  

[- or /] minPass

Minimum length for random password. (def:15)  

[- or /] maxPass

Maximum length for random password (def:256) 

[- or /] mapuser :

Map principal to this user account (Default is no mapping) 

[- or /] mapOp :

  • [- or /] mapOp add

  • [- or /] mapOp set

Set the mapping attribute  

  • add value (default)

  • set value

[- or +] DesOnly

Set account for DES-only encryption (default:don't)  

[-or /] in

Set keytab to read/digest 

Key Generation

[- or /] crypto

  • [- or /] crypto DES-CBC-CRC

  • [-or /] crypto DES-CBC-MD5

  • [- or /] crypto RC4-HMAC-NT

Cryptosystem to use  

  • for compatibility

  • for compatibliity

  • default 128-bit encryption

[-or /] ptype 

  • [- or /] ptype :KRB5_NT_PRINCIPAL

  • [- or /] ptype : KRB5_NT_SRV_INST

  • [- or /] ptype : KRB5_NT_SRV_HST

Use one of the following ptypes: 

  • the general ptype-- recommended

  • user service instance

  • host service instance

[-or /] kvno

Override Key Version Number Default: query DC for kvno. Use /kvno 1 for Windows 2000 compatibility 

[- or +] Answer

  • +Answer

  • -Answer

[- or +] Answer

  • Answers YES to prompts

  • Answers NO to prompts

[- or /] Target

Which domain controller to use. Default is to detect the domain contoller. 

Options for Trust Attribtues (Windows Server 2003 SP1 Only)

[- or /] MitRealmName

MIT Realm to enable RC4 trust on.  

[-or /] TrustEncryp

Trust Encryption to use. DES is default. 

[- or /] TrustEncryp

  • [- or /] RC4

  • [- or /] DES

[- /] TrustEncryp 

  • RC4 Realm Trusts (default)

  • Revert to DES


Use these commands to create the configuration entries in the Windows host's registry for the Kerberos realm. The registry entries function similarly to the krb5.conf file used by Unix Kerberos to define the Kerberos Domain Controller information for Kerberos realms.

Table 18–5 ksetup Options



/SetRealm DnsDomainName

Makes this computer a member of an RFC1510 Kerberos Realmp  

/MapUser Principal [Account]

Maps a Kerberos Principal ('*' = any principal) to an account ('*' = an account by same name); If account name is omitted, mapping is deleted for the specified principal.  

/AddKdc RealmName [KdcName]

Defines a Kerberos Domain Controller entry for the given realm. If KdcName omitted, DNS mapping may be used to locate Kerberos Domain Controllers.

/DelKdc RealmName [KdcName]

Deletes a Kerberos Domain Controller entry from the realm. If KdcName omitted, the realm entry itself is deleted.

/AddKpasswd Realmname KpasswdName

Add Kpasswd server address for a realm

/DelKpasswd Realmname KpasswdName

Delete Kpasswd server address for a realm

/Server Servername

Specifies name of a Windows machine to target the changes  

/SetComputerPassword Password

Sets the password for the computer's domain account or host principal  

/RemoveRealm RealmName

Deletes all information for this realm from the registry  

/Domain [DomainName]

Uses this domain (if DomainName is unspecified, detects domain)  

/ChangePassword OldPasswd NewPasswd

Use Kpasswd to change the logged-on user's password. Use '*' to be prompted for passwords.

/ListRealmFlags (no args)

Lists the available Realm flags that ksetup knows

/SetRealmFlags <realm> <flag> [flag] [flag] [...]

Sets RealmFlagsfor a specific realm

/AddRealmFlags realm flag [flag] [flag] [...]

Adds additional RealmFlags to a realm

/DelRealmFlags realm flag [flag] [flag] [...]

Deletes RealmFlags from a realm

/DumpState (no arguments)

Analyze the Kerberos configuration on the given machine