tw_kerberos
Using the tw_kerberos utility
To use the utility, type the following command:
where options are any of the options described in the following table and the common command line options described in Using-command-line-utilities.
In each of the sections below, user examples have been included for your reference. In these examples, the user name is system and the password is not specified on the command line. The utility prompts for the password after you enter the command. Type the commands on a single line; line breaks are provided in the examples to make them easier to read.
Command Line Option | Description |
|---|---|
--add | Add a realm. You can add a realm multiple times without errors. Specify the realm to add by using --realm. |
--admin=ARG | Admin server address. Optional, defaults to the KDC address. |
--admin-port=ARG | Admin server port. Optional, defaults to port 749. The port number is not shown in the status output unless it is a non-default value. |
--delete | Delete a realm. Specify the realm to delete by using --realm. |
--kdc=ARG | KDC address. Required when adding a realm. |
--kdc-port=ARG | KDC port. Optional, defaults to port 88. |
--kuser-password=ARG | The password of the user for which you are testing the access by using --test. |
--kuser-principal=ARG | The principal of the user for which you are testing the access by using --test. |
--realm=ARG | Name of realm. |
--test | Test obtaining a TGT for a realm. Used in conjunction with --kuser-password and --kuser-principal. |
--update | Update the Admin server or KDC details for the specified realm. |
--verbose | List the credential, keytab, and credential cache names that are using the realm. |
Examples
The following user examples omit the standard appliance user credentials to make the commands easier to read (--username=system --password=password01)
To view Kerberos status
In this example, no realms have been added.
No realms
[tideaway@appliance01 ]$
To add a new realm
[tideaway@appliance01 ]$ tw_kerberos
Realm KDC Admin Server Creds Keytabs CCaches
------------------------- ------------------------- ------------------------- ----- ------- -------
KERB-06 10.49.16.71 10.49.16.71 0 0 0
[tideaway@appliance01 ]$
To update a realm
[tideaway@appliance01 ]$ tw_kerberos
Realm KDC Admin Server Creds Keytabs CCaches
------------------------- ------------------------- ------------------------- ----- ------- -------
KERB-06 10.49.16.71:888 10.49.16.71 0 0 0
[tideaway@appliance01 ]$
To test a user's access to a realm
Tests whether the specified user can obtain a ticket-granting ticket (TGT) for the realm.
[tideaway@appliance01 ]$ tw_kerberos
Realm KDC Admin Server Creds Keytabs CCaches
------------------------- ------------------------- ------------------------- ----- ------- -------
KERB-06 10.49.16.71:888 10.49.16.71 0 0 0
KERB-99 192.168.100.12 192.168.100.12 2 1 1
[tideaway@appliance01 ]$
[tideaway@appliance01 ]$ tw_kerberos --test -R KERB-06 --kuser-principal tideway --kuser-password userpassword
SUCCESS: Obtained a TGT
[tideaway@appliance01 ]$
[tideaway@appliance01 ]$ tw_kerberos --test -R KERB-06 --kuser-principal tideway --kuser-password thisuserpasswordisincorrect
ERROR: Couldn't acquire a Kerberos ticket for tideway@KERB-06: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529638936): Preauthentication failed
FAILED
[tideaway@appliance01 ]$
To delete a realm
[tideaway@appliance01 ]$ tw_kerberos
Realm KDC Admin Server Creds Keytabs CCaches
------------------------- ------------------------- ------------------------- ----- ------- -------
KERB-06 10.49.16.71:888 10.49.16.71 0 0 0
KERB-99 192.168.100.12 192.168.100.12 2 1 1
[tideaway@appliance01 ]$
[tideaway@appliance01 ]$ tw_kerberos
Realm KDC Admin Server Creds Keytabs CCaches
------------------------- ------------------------- ------------------------- ----- ------- -------
KERB-99 192.168.100.12 192.168.100.12 2 1 1
[tideaway@appliance01 ]$
Location of cached TGTs
Cached TGTs are stored in the /usr/tideway/var/krb5 directory. If you copy TGTs to this directory, you must ensure that they match the principal of the credential with which you intend to use them.
Encryption and SSH support
BMC Discovery uses the following types of encryption.
|
|
Modifying the encryption type is not supported.
For more information on the encryptions, see:
BMC Discovery supports Kerberos authentication for target discovery by using SSH credentials using standard clients. Although the BMC Discovery can be configured to use Tectia SSH and x.509 certificates, this is not supported for Kerberos authentication.