tw_kerberos
The tw_kerberos
command line utility enables you to do the following tasks:
View and manage the current Kerberos status (known and joined realms)
Define (add) a realm,
Delete a realm
Tip
Use the BMC Discovery user interface to perform the functionality provided by the tw_kerberos
command line utility (see Adding Kerberos realms for discovery authentication). If you choose to run the utility, read the information in this section to learn its usage and to understand the risks and potential impact on your environment.
Using the tw_kerberos utility
To use the utility, type the following command:
tw_kerberos [options]
where options are any of the options described in the following table and the common command line options described in Using command line utilities.
In each of the sections below, user examples have been included for your reference. In these examples, the user name is system
and the password is not specified on the command line. The utility prompts for the password after you enter the command. Type the commands on a single line; line breaks are provided in the examples to make them easier to read.
Command Line Option | Description |
---|---|
| Add a realm. You can add a realm multiple times without errors. Specify the realm to add by using |
| Admin server address. Optional, defaults to the KDC address. |
| Admin server port. Optional, defaults to port 749. The port number is not shown in the status output unless it is a non-default value. |
| Delete a realm. Specify the realm to delete by using |
| KDC address. Required when adding a realm. |
| KDC port. Optional, defaults to port 88. |
| The password of the user for which you are testing the access by using |
| The principal of the user for which you are testing the access by using |
| Name of realm. |
--test | Test obtaining a TGT for a realm. Used in conjunction with --kuser-password and --kuser-principal. |
--update | Update the Admin server or KDC details for the specified realm. |
--verbose
| List the credential, keytab, and credential cache names that are using the realm. |
Examples
The following user examples omit the standard appliance user credentials to make the commands easier to read (--username=system --password=password01
)
To view Kerberos status
In this example, no realms have been added.
[tideaway@appliance01 ]$ tw_kerberos No realms [tideaway@appliance01 ]$
To add a new realm
[tideaway@appliance01 ]$ tw_kerberos --add --realm=KERB-06 --kdc=10.49.16.71 [tideaway@appliance01 ]$ tw_kerberos Realm KDC Admin Server Creds Keytabs CCaches ------------------------- ------------------------- ------------------------- ----- ------- ------- KERB-06 10.49.16.71 10.49.16.71 0 0 0 [tideaway@appliance01 ]$
To update a realm
[tideaway@appliance01 ]$ tw_kerberos --update --realm=KERB-06 --kdc-port 888 [tideaway@appliance01 ]$ tw_kerberos Realm KDC Admin Server Creds Keytabs CCaches ------------------------- ------------------------- ------------------------- ----- ------- ------- KERB-06 10.49.16.71:888 10.49.16.71 0 0 0 [tideaway@appliance01 ]$
To test a user's access to a realm
Tests whether the specified user can obtain a ticket-granting ticket (TGT) for the realm.
[tideaway@appliance01 ]$ tw_kerberos --add --realm=KERB-99 --kdc=192.168.100.12 [tideaway@appliance01 ]$ tw_kerberos Realm KDC Admin Server Creds Keytabs CCaches ------------------------- ------------------------- ------------------------- ----- ------- ------- KERB-06 10.49.16.71:888 10.49.16.71 0 0 0 KERB-99 192.168.100.12 192.168.100.12 2 1 1 [tideaway@appliance01 ]$ [tideaway@appliance01 ]$ tw_kerberos --test -R KERB-06 --kuser-principal tideway --kuser-password userpassword SUCCESS: Obtained a TGT [tideaway@appliance01 ]$ [tideaway@appliance01 ]$ tw_kerberos --test -R KERB-06 --kuser-principal tideway --kuser-password thisuserpasswordisincorrect ERROR: Couldn't acquire a Kerberos ticket for tideway@KERB-06: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529638936): Preauthentication failed FAILED [tideaway@appliance01 ]$
To delete a realm
[tideaway@appliance01 ]$ tw_kerberos --delete --realm=KERB-06 [tideaway@appliance01 ]$ tw_kerberos Realm KDC Admin Server Creds Keytabs CCaches ------------------------- ------------------------- ------------------------- ----- ------- ------- KERB-06 10.49.16.71:888 10.49.16.71 0 0 0 KERB-99 192.168.100.12 192.168.100.12 2 1 1 [tideaway@appliance01 ]$ [tideaway@appliance01 ]$ tw_kerberos Realm KDC Admin Server Creds Keytabs CCaches ------------------------- ------------------------- ------------------------- ----- ------- ------- KERB-99 192.168.100.12 192.168.100.12 2 1 1 [tideaway@appliance01 ]$
Location of cached TGTs
Cached TGTs are stored in the /usr/tideway/var/krb5
directory. If you copy TGTs to this directory, you must ensure that they match the principal of the credential with which you intend to use them.
Encryption and SSH support
BMC Discovery uses the following types of encryption.
|
|
Modifying the encryption type is not supported.
For more information on the encryptions, see:
BMC Discovery supports Kerberos authentication for target discovery by using SSH credentials using standard clients. Although the BMC Discovery can be configured to use Tectia SSH and x.509 certificates, this is not supported for Kerberos authentication.
Comments
Log in or register to comment.