5.2. Logging into IdM Using Kerberos

IdM uses the Kerberos protocol to support single sign-on. With Kerberos, the user only needs to present the correct user name and password once. Then the user can access IdM services without the system prompting for the credentials again.
By default, only machines that are members of the IdM domain can use Kerberos to authenticate to IdM. However, it is possible to configure external systems for Kerberos authentication as well; for more information, see Section 5.4.4, “Configuring an External System for Kerberos Authentication to the Web UI”.

Using kinit

To log in to IdM from the command line, use the kinit utility.


To use kinit, the krb5-workstation package must be installed.
When run without specifying a user name, kinit logs into IdM under the user name of the user that is currently logged-in on the local system. For example, if you are logged-in as local_user on the local system, running kinit attempts to authenticate you as the local_user IdM user:
[local_user@server ~]$ kinit
Password for local_user@EXAMPLE.COM:


If the user name of the local user does not match any user entry in IdM, the authentication attempt fails.
To log in as a different IdM user, pass the required user name as a parameter to the kinit utility. For example, to log in as the admin user:
[local_user@server ~]$ kinit admin
Password for admin@EXAMPLE.COM:

Obtaining Kerberos Tickets Automatically

The pam_krb5 pluggable authentication module (PAM) and SSSD can be configured to automatically obtain a TGT for a user after a successful login in to the desktop environment on an IdM client machine. This ensures that after logging in, the user is not required to run kinit.
On IdM systems that have IdM configured in SSSD as the identity and authentication provider, SSSD obtains the TGT automatically after the user logs in with the corresponding Kerberos principal name.
For information on configuring pam_krb5, see the pam_krb5(8) man page. For general information about PAM, see the System-Level Authentication Guide.

Storing Multiple Kerberos Tickets

By default, Kerberos only stores one ticket per logged-in user in the credential cache. Whenever a user runs kinit, Kerberos overwrites the currently-stored ticket with the new ticket. For example, if you use kinit to authenticate as user_A, the ticket for user_A will be lost after you authenticate again as user_B.
To obtain and store another TGT for a user, set a different credential cache, which ensures the contents of the previous cache are not overwritten. You can do this in one of the following two ways:
  • Run the export KRB5CCNAME=path_to_different_cache command, and then use kinit to obtain the ticket.
  • Run the kinit -c path_to_different_cache command, and then reset the KRB5CCNAME variable.
To restore the original TGT stored in the default credential cache:
  1. Run the kdestroy command.
  2. Restore the default credential cache location using the unset $KRB5CCNAME command.

Checking the Current Logged-in User

To verify what TGT is currently stored and used for authentication, use the klist utility to list cached tickets. In the following example, the cache contains a ticket for user_A, which means that only user_A is currently allowed to access IdM services:
$ klist
Ticket cache: KEYRING:persistent:0:0
Default principal: user_A@EXAMPLE.COM

Valid starting     	Expires            	Service principal
11/10/2015 08:35:45  	11/10/2015 18:35:45  	krbtgt/EXAMPLE.COM@EXAMPLE.COM