tw_kerberos command line utility enables you to do the following tasks:
View and manage the current Kerberos status (known and joined realms)
Define (add) a realm,
Delete a realm
Use the BMC Discovery user interface to perform the functionality provided by the
tw_kerberos command line utility (see Adding Kerberos realms for discovery authentication). If you choose to run the utility, read the information in this section to learn its usage and to understand the risks and potential impact on your environment.
Using the tw_kerberos utility
To use the utility, type the following command:
where options are any of the options described in the following table and the common command line options described in Using command line utilities.
In each of the sections below, user examples have been included for your reference. In these examples, the user name is
system and the password is not specified on the command line. The utility prompts for the password after you enter the command. Type the commands on a single line; line breaks are provided in the examples to make them easier to read.
Command Line Option
Add a realm. You can add a realm multiple times without errors. Specify the realm to add by using
Admin server address. Optional, defaults to the KDC address.
Admin server port. Optional, defaults to port 749. The port number is not shown in the status output unless it is a non-default value.
Delete a realm. Specify the realm to delete by using
KDC address. Required when adding a realm.
KDC port. Optional, defaults to port 88.
The password of the user for which you are testing the access by using
The principal of the user for which you are testing the access by using
Name of realm.
|Test obtaining a TGT for a realm. Used in conjunction with |
|Update the Admin server or KDC details for the specified realm.|
|List the credential, keytab, and credential cache names that are using the realm.|
The following user examples omit the standard appliance user credentials to make the commands easier to read (
To view Kerberos status
In this example, no realms have been added.
To add a new realm
To update a realm
To test a user's access to a realm
Tests whether the specified user can obtain a ticket-granting ticket (TGT) for the realm.
To delete a realm
Location of cached TGTs
Cached TGTs are stored in the
/usr/tideway/var/krb5 directory. If you copy TGTs to this directory, you must ensure that they match the principal of the credential with which you intend to use them.
Encryption and SSH support
BMC Discovery uses the following types of encryption.
Modifying the encryption type is not supported.
For more information on the encryptions, see:
BMC Discovery supports Kerberos authentication for target discovery by using SSH credentials using standard clients. Although the BMC Discovery can be configured to use Tectia SSH and x.509 certificates, this is not supported for Kerberos authentication.