[ Bottom of Page | Previous Page | Next Page | Contents | Index | Library Home | Legal | Search ]

Commands Reference, Volume 3

mkkrb5clnt Command

Purpose

Configures a Kerberos client.

Syntax

mkkrb5clnt -h | [ -c KDC -r Realm -s Server -U [ -a Admin ] -d Domain [ -A ] [ -i Database ] [ -K ] [ -T ] ] [ -l {ldapserver | ldapserver:port} ]

Description

This command configures the Kerberos client. The first part of the command reads realm name, KDC, VDB path, and domain name from the input and generates a krb5.conf file.

/etc/krb5/krb5.conf: Values for realm name, Kerberos admin server, and domain name are set as specified on the command line. Also updates the paths for default_keytab_name, kdc, and kadmin log files.

If DCE is not configured, this command creates a link to /etc/krb5/krb5.conf from /etc/krb5.conf.

The command also allows you to configure root as admin user, configure integrated Kerberos authentication, and configure Kerberos as default authentication scheme.

For integrated login, the -i flag requires the name of the database being used. For LDAP, use the load module name that specifies LDAP. For local files, use the keyword files.

Standard Output Consists of information messages when the -h flag is used.
Standard Error Consists of error messages when the command cannot complete successfully.

Flags

-a Admin Specifies the principal name of the Kerberos server admin.
-A Specifies root to be added as a Kerberos administrative user.
-c KDC Specifies the KDC server.
-d Domain Specifies the complete domain name for the Kerberos client.
-h Specifies that the command is only to display the valid command syntax.
-i Database Configures integrated Kerberos authentication.
-K Specifies Kerberos to be configured as the default authentication scheme.
-l ldapserver | ldapserver:port For servers, specifies the LDAP directory used to store the Network Authentication Service principal and policy information.

For clients, specifies the LDAP directory server to use for Administration server and KDC discovery using LDAP. If the -l flag is used, then the KDC and server flags are optional. If the -l option is not used, the KDC and server flags must be specified. The port number can optionally be specified.

For clients and servers, the port number can optionally be specified. If the port number is not specified, the client connects to the default LDAP server port 389 or 636 for SSL connections.

Note
Only the client configuration is updated.
-r Realm Specifies the full realm name for which the Kerberos client is to be configured.
-s Server Specifies the fully qualified host name for Kerberos admin server.
-T Specifies the flag to acquire server admin TGT based admin ticket.
-U Undo the setup from the previous configuration command.

Exit Status

Failure of this command to execute successfully may result in incomplete client configuration.

0 Indicates the successful completion of the command.
1 Indicates that an error occurred.

Security

Only the root user is authorized to use this command.

Examples

  1. To display the command syntax, type:

    mkkrb5clnt -h
  2. To configure testbox.austin.ibm.com as a client to sundial.austin.ibm.com where KDC is also running on sundial.austin.ibm.com, type:

    mkkrb5clnt -c sundial.austin.ibm.com -r UD3A.AUSTIN.IBM.COM \
                -s sundial.austin.ibm.com -d austin.ibm.com
  3. To configure testbox.austin.ibm.com as the client, make root as the server admin, configure integrated login, configure Kerberos as default authentication scheme, type:

    mkkrb5clnt -c sundial.austin.ibm.com -r UD3A.AUSTIN.IBM.COM \
         -s sundial.austin.ibm.com -d austin.ibm.com \
         -A -i files -K -T

Files

/usr/krb5/sbin Contains the mkkrb5clnt command.

[ Top of Page | Previous Page | Next Page | Contents | Index | Library Home | Legal | Search ]