×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')

 

This documentation supports the 21.3 (12.3) version of BMC Discovery.
BMC Discovery 21.3 ... Administering Using command line utilities

tw_kerberos


The tw_kerberos command line utility enables you to do the following tasks:

  • View and manage the current Kerberos status (known and joined realms)

  • Define (add) a realm, 

  • Delete a realm


Tip

Use the BMC Discovery user interface to perform the functionality provided by the tw_kerberos command line utility (see Adding Kerberos realms for discovery authentication). If you choose to run the utility, read the information in this section to learn its usage and to understand the risks and potential impact on your environment.

Related topics

Using command line utilities

Adding Kerberos realms for discovery authentication

Endpoints in the REST API


Using the tw_kerberos utility

To use the utility, type the following command:

tw_kerberos [options]

where options are any of the options described in the following table and the common command line options described in Using command line utilities.

In each of the sections below, user examples have been included for your reference. In these examples, the user name is system and the password is not specified on the command line. The utility prompts for the password after you enter the command. Type the commands on a single line; line breaks are provided in the examples to make them easier to read. 

Command Line Option

Description

--add

Add a realm. You can add a realm multiple times without errors. Specify the realm to add by using --realm.

--admin=ARG

Admin server address. Optional, defaults to the KDC address.

--admin-port=ARG

Admin server port. Optional, defaults to port 749. The port number is not shown in the status output unless it is a non-default value.

--delete

Delete a realm. Specify the realm to delete by using --realm.

--kdc=ARG

KDC address. Required when adding a realm.

--kdc-port=ARG

KDC port. Optional, defaults to port 88.

--kuser-password=ARG

The password of the user for which you are testing the access by using --test.

--kuser-principal=ARG

The principal of the user for which you are testing the access by using --test.

--realm=ARG

Name of realm.

--testTest obtaining a TGT for a realm. Used in conjunction with --kuser-password and --kuser-principal.
--updateUpdate the Admin server or KDC details for the specified realm.
--verbose List the credential, keytab, and credential cache names that are using the realm.

Examples

The following user examples omit the standard appliance user credentials to make the commands easier to read (--username=system --password=password01)

To view Kerberos status

In this example, no realms have been added.

[tideaway@appliance01 ]$ tw_kerberos
No realms
[tideaway@appliance01 ]$

To add a new realm

[tideaway@appliance01 ]$ tw_kerberos --add --realm=KERB-06 --kdc=10.49.16.71
[tideaway@appliance01 ]$ tw_kerberos
Realm                     KDC                       Admin Server              Creds Keytabs CCaches
------------------------- ------------------------- ------------------------- ----- ------- -------
KERB-06                   10.49.16.71               10.49.16.71                   0       0       0
[tideaway@appliance01 ]$

To update a realm

[tideaway@appliance01 ]$ tw_kerberos --update --realm=KERB-06 --kdc-port 888 
[tideaway@appliance01 ]$ tw_kerberos
Realm                     KDC                       Admin Server              Creds Keytabs CCaches
------------------------- ------------------------- ------------------------- ----- ------- -------
KERB-06                   10.49.16.71:888           10.49.16.71                   0       0       0
[tideaway@appliance01 ]$

To test a user's access to a realm

Tests whether the specified user can obtain a ticket-granting ticket (TGT) for the realm.

[tideaway@appliance01 ]$ tw_kerberos --add --realm=KERB-99 --kdc=192.168.100.12
[tideaway@appliance01 ]$ tw_kerberos
Realm                     KDC                       Admin Server              Creds Keytabs CCaches
------------------------- ------------------------- ------------------------- ----- ------- -------
KERB-06                   10.49.16.71:888           10.49.16.71                   0       0       0
KERB-99                   192.168.100.12            192.168.100.12                2       1       1
[tideaway@appliance01 ]$ 
[tideaway@appliance01 ]$ tw_kerberos --test -R KERB-06 --kuser-principal tideway --kuser-password userpassword
SUCCESS: Obtained a TGT
[tideaway@appliance01 ]$ 
[tideaway@appliance01 ]$ tw_kerberos --test -R KERB-06 --kuser-principal tideway --kuser-password thisuserpasswordisincorrect


ERROR: Couldn't acquire a Kerberos ticket for tideway@KERB-06: Major (851968): Unspecified GSS failure.  Minor code may provide more information, Minor (2529638936): Preauthentication failed
FAILED
[tideaway@appliance01 ]$

To delete a realm

[tideaway@appliance01 ]$ tw_kerberos --delete --realm=KERB-06
[tideaway@appliance01 ]$ tw_kerberos
Realm                     KDC                       Admin Server              Creds Keytabs CCaches
------------------------- ------------------------- ------------------------- ----- ------- -------
KERB-06                   10.49.16.71:888           10.49.16.71                   0       0       0
KERB-99                   192.168.100.12            192.168.100.12                2       1       1
[tideaway@appliance01 ]$ 
[tideaway@appliance01 ]$ tw_kerberos
Realm                     KDC                       Admin Server              Creds Keytabs CCaches
------------------------- ------------------------- ------------------------- ----- ------- -------
KERB-99                   192.168.100.12            192.168.100.12                2       1       1
[tideaway@appliance01 ]$

Location of cached TGTs

Cached TGTs are stored in the /usr/tideway/var/krb5 directory. If you copy TGTs to this directory, you must ensure that they match the principal of the credential with which you intend to use them.

Encryption and SSH support

BMC Discovery uses the following types of encryption.

  • aes256-cts-hmac-sha1-96
  • aes256-cts
  • aes256-sha1
  • aes128-cts-hmac-sha1-96
  • aes128-cts
  • aes128-sha1
  • aes256-cts-hmac-sha384-192
  • aes256-sha2
  • aes128-cts-hmac-sha256-128
  • aes128-sha2
  • camellia256-cts-cmac
  • camellia256-cts
  • camellia128-cts-cmac
  • camellia128-cts
  • arcfour-hmac
  • rc4-hmac
  • arcfour-hmac-md5

Modifying the encryption type is not supported.

For more information on the encryptions, see:

  • MIT Kerberos Open link
  • Microsoft Windows Kerberos Open link

BMC Discovery supports Kerberos authentication for target discovery by using SSH credentials using standard clients. Although the BMC Discovery can be configured to use Tectia SSH and x.509 certificates, this is not supported for Kerberos authentication.

Was this page helpful? Yes No Submitting... Thank you
Last modified by Duncan Tweed on Sep 16, 2021
tw_scan_control command_line_utility production_ready help_op_admin_kerberos

Comments

Log in or register to comment.

tw_ds_compact
Addressing data privacy requests
© Copyright 2004 - 2022 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.