After you configure the UNIX Kerberos Domain Controller or the and Windows 2003 Active Directory Domain Contoller are configured, you can test them with various tools to validate that they are configured properly.
Network Identity Manager is a graphical tool designed by MIT to simplify the management of network identities and their credentials. When Network Identity Manger is used with Kerberos v5, each network identity is a unique Kerberos principal name, and the credentials are Kerberos version 5 tickets. Network Identity Manger enables you to manage any Kerberos ticket returned from a Kerberos Domain Controller. For detailed information, see the Network Identity Manager 1.3.1 User Documentation.
An administrator can obtain an initial Kerberos ticket for a specified principal using the kinit command, and then cache the initial ticket into the ticket cache. Once kinit is executed successfully, any existing tickets for the principal are overwritten. You can use the kinit command to verify that a generated keytab file is working with the Kerberos and Active Directory Domain Controllers. Usage:
kinit [-5] [-4] [-V] [-l lifetime] [-s start_time] [-r renewable_life][-f | -F] [-p | -P] [-A] [-v] [-R] [-k [-t keytab_file]] [-c cachename] [-S service_name] [principal] |
Option |
Description |
Kerberos Version |
---|---|---|
-5 |
Use Kerberos 5 |
By default, Kerberos version 5 is used. |
-4 |
Use Kerberos 4 |
4, if available |
-V |
Verbose |
4, 5 |
-l |
Lifetime |
4, 5 |
-s |
Start time |
5 |
-r |
Renewable lifetime |
5 |
-f |
Forwardable |
5 |
-F |
Not forwardable |
5 |
-p |
Can be proxied |
5 |
-P |
Cannot be proxied |
5 |
-A |
Do not include addresses |
5 |
-v |
Validate |
5 |
-R |
Renew |
5, or both 5 and 4 |
-k |
Use keytab |
5, or both 5 and 4 |
-t |
Filename of keytab to use |
5, or both 5 and 4 |
-c |
Kerberos 5 cache name |
5 |
-S |
Service |
5, or both 5 and 4 5.3 |
Theklist command displays the contents of a Kerberos credentials cache or key table. You can use the klist command to verifty that the generated keytab file has the right principal for OpenSSO Enterprise. Usage:
klist [-5] [-4] [-e] [[-c] [-f] [-s] [-a [-n]]] [-k [-t] [-K]] [name] -5 |
You can use the ktpass command to configure services running on UNIX systems to work with with service instance accounts in Active Directory. You can also use the ktpass command to generate Kerberos keytab files for services. Before you map an Active Directory user account with OpenSSO Enterprise, first check the Java version that is configured for OpenSSO. If the Java version is 1.5_08 or higher, you can generate the Kerberos keytab file using all default values for account encryption and cryptosystem. Java versions 1.5_08 or higher support the RC4-HMAC crypto system that is default for the Windows Kerberos Domain Controller. If the Java version is lower than 1.5_08, you have must use the DesOnly option. Options:
Table 18–4 ktpass Command Options
Use these commands to create the configuration entries in the Windows host's registry for the Kerberos realm. The registry entries function similarly to the krb5.conf file used by Unix Kerberos to define the Kerberos Domain Controller information for Kerberos realms.
Table 18–5 ksetup Options
Option |
Description |
---|---|
/SetRealm DnsDomainName |
Makes this computer a member of an RFC1510 Kerberos Realmp |
/MapUser Principal [Account] |
Maps a Kerberos Principal ('*' = any principal) to an account ('*' = an account by same name); If account name is omitted, mapping is deleted for the specified principal. |
/AddKdc RealmName [KdcName] |
Defines a Kerberos Domain Controller entry for the given realm. If KdcName omitted, DNS mapping may be used to locate Kerberos Domain Controllers. |
/DelKdc RealmName [KdcName] |
Deletes a Kerberos Domain Controller entry from the realm. If KdcName omitted, the realm entry itself is deleted. |
/AddKpasswd Realmname KpasswdName |
Add Kpasswd server address for a realm |
/DelKpasswd Realmname KpasswdName |
Delete Kpasswd server address for a realm |
/Server Servername |
Specifies name of a Windows machine to target the changes |
/SetComputerPassword Password |
Sets the password for the computer's domain account or host principal |
/RemoveRealm RealmName |
Deletes all information for this realm from the registry |
/Domain [DomainName] |
Uses this domain (if DomainName is unspecified, detects domain) |
/ChangePassword OldPasswd NewPasswd |
Use Kpasswd to change the logged-on user's password. Use '*' to be prompted for passwords. |
/ListRealmFlags (no args) |
Lists the available Realm flags that ksetup knows |
/SetRealmFlags <realm> <flag> [flag] [flag] [...] |
Sets RealmFlagsfor a specific realm |
/AddRealmFlags realm flag [flag] [flag] [...] |
Adds additional RealmFlags to a realm |
/DelRealmFlags realm flag [flag] [flag] [...] |
Deletes RealmFlags from a realm |
/DumpState (no arguments) |
Analyze the Kerberos configuration on the given machine |