Kerberos Commands in AD Bridge

AD Bridge includes several command-line utilities for working with Kerberos. We recommend that you use these Kerberos utilities, located in /opt/pbis/bin, to manage those aspects of Kerberos authentication that are associated with AD Bridge.

For complete instructions on how to use the Kerberos commands, see the man page for the command. For example, man <command name>.

To address Kerberos issues, see Troubleshooting Kerberos Errors.

kdestroy

The kdestroy utility destroys the user's active Kerberos authorization tickets obtained through AD Bridge. Destroying the user's tickets can help solve login issues.

This command destroys only the tickets in the AD Bridge Kerberos cache of the user account that is used to execute the kdestroy command; tickets in other Kerberos caches, including root, are not destroyed. To destroy another user's cache, use the command with its - c option.

klist

Lists Kerberos tickets, including the location of the credentials cache, the expiration time of each ticket, and the flags that apply to the tickets.

Because AD Bridge includes its own Kerberos 5 libraries (in /opt/pbis/lib), you must use the AD Bridge klist command by either changing directories to /opt/pbis/bin or including the path in the command.

-sh-3.00$ /opt/pbis/bin/klist
Ticket cache: FILE:/tmp/krb5cc_593495191
Default principal: hoenstiv@EXAMPLE.COM
Valid starting     Expires            Service principal
07/22/08 16:07:23  07/23/08 02:06:39  krbtgt/EXAMPLE.COM@EXAMPLE.COM
	 renew until 07/23/08 04:07:23
07/22/08 16:06:39  07/23/08 02:06:39  host/rhel4d.EXAMPLE.COM@
	 renew until 07/23/08 04:07:23
07/22/08 16:06:39  07/23/08 02:06:39  host/rhel4d.EXAMPLE.COM@EXAMPLE.COM
	 renew until 07/23/08 04:07:23
07/22/08 16:06:40  07/23/08 02:06:39  RHEL4D$@EXAMPLE.COM
	 renew until 07/23/08 04:07:23

kinit

Obtains and caches an initial ticket-granting ticket for a principal.

ktutil

Invokes a shell from which you can read, write, or edit entries in a Kerberos keytab.

You can use ktutil to add a keytab file to a non-default location.

When you join a domain, AD Bridge initializes a Kerberos keytab by adding the default_keytab_name setting to krb5.conf and setting it to /etc/krb5.keytab. If the keytab file referenced in krb5.conf does not exist, the AD Bridge domain-join utility changes the setting to /etc/krb5.conf.

You can set the keytab file to be in a location that is different from the default. To do so, you must pre-create the keytab file in the location you want and set a symlink to it in /etc/krb5.keytab. Then, you must set the default_keytab_name in /etc/krb5.conf to point to either the symlink or the real file. The result is that the keytab file will already exist and the AD Bridge domain-join utility will not modify its location setting.

The keytab's format does not let you create a keytab file without a keytab, but you can use ktutil to manually create one with a place-holder entry. When AD Bridge adds your computer to the domain, a correct entry will be added to the file.

/opt/pbis/bin/ktutil 
ktutil:  addent -password -p nonexistent@nonexistent -k 1 -e RC4-HMAC
Password for nonexistent@nonexistent: 
ktutil:  wkt /var/OtherPlace/etc/krb5.keytab
ktutil:  quit

kvno

Acquires a service ticket for the specified Kerberos principals and prints out the key version numbers of each.