Kerberos policies

Testing a remote connection

© 2014 Dennis Leeuw dleeuw at made-it dot com


    1. krb5.conf
    2. Tests


If you used the correct SRV entries in the DNS server, all that is needed on a Kerberos client is a /etc/krb5.conf file that reads like this:

	dns_lookup_realm = true
	dns_lookup_kdc   = true
All other information needed by the client is provided by DNS.


The test is done by using kinit. kinit is provided the krb5-user package on Debian based systems and by krb-workstation on Red Hat based systems. The first thing you need to do is getting a ticket:

kinit <username>
If you run kinit with or as the username that belongs to an existing principal you should get no response when you type the correct kerberos password. To check that the logon succeeded type klist which should respond with something like:
Ticket cache: FILE:/tmp/krb5cc_666
Default principal: dleeuw@EXAMPLE.COM

Valid starting       Expires              Service principal
09/18/2014 15:08:15  09/19/2014 15:08:15  krbtgt/EXAMPLE.COM@EXAMPLE.COM
	renew until 09/18/2014 15:08:15

kdestory throws all tickets away.