8.3. Logging into IdM
kinitissues the user a Kerberos ticket. This ticket is checked by any IdM or Kerberos-aware service, so that a user only needs to log in once to access all domain services. Domain services include the IdM web UI, mounted file shares, wikis, or any other application which uses IdM as its identity/authentication store.
8.3.1. Logging into IdM
kiniton a client within the IdM domain.
kinitcommand must be run from a machine which has been configured as a client within the IdM domain, so that the client authenticates with the IdM KDC.
kinitlogs into IdM as the currently logged-in user account. This user account must also be an IdM user for them to authenticate to the IdM Kerberos domain successfully. For example, if you are logged into the machine as
$ kinit Password for user@EXAMPLE.COM:
pam_krb5is configured on the IdM client machine, then when a user logs into the machine, a ticket is created which can be used for machine services which require authentication, such as
8.3.2. Logging in When an IdM User Is Different Than the System User
kinitcommand again and specify the new user. For example:
$ kinit userName Password for userName@EXAMPLE.COM:
admin, is created to perform normal administrative activities. To authenticate as the admin user, use the name admin when running
$ kinit admin
8.3.3. Checking the Current Logged in User
klistcommand to verify the identity and the ticket granting ticket (TGT) from the server:
$ klist Ticket cache: FILE:/tmp/krb5cc_500 Default principal: ipaUser@EXAMPLE.COM Valid starting Expires Service principal 11/10/08 15:35:45 11/11/08 15:35:45 krbtgt/EXAMPLE.COM@EXAMPLE.COM Kerberos 4 ticket cache: /tmp/tkt500 klist: You have no tickets cached
kinithave some limitation, one of them being that the current ticket is overwritten with any new invocation of
kinit. Authenticating as User A and then authenticating as User B overwrites User A's ticket.
KRB5CCNAMEenvironment variable. This variable keeps credential caches separate in different shells.
8.3.4. Caching User Kerberos Tickets
admin, added a new user, set the password, and then tried to authenticate as that user, the administrator's ticket is lost.
KRB5CCNAME, can be used.