mkkrb5clnt Command
Purpose
Configures a Kerberos client.
Syntax
To configure Kerberos against IBM® Network Authentication Service only:
mkkrb5clnt -h | [ -c KDC -r Realm -s Server -U [ -a Admin ] -d Domain [ -A ] [ -i Database ] [ -K ] [ -T ] [ -t ticket_lifetime ] [ -n renew_lifetime ] ] [ -l {ldapserver | ldapserver:port} ]
To configure Kerberos against non-kadmind services:
mkkrb5clnt -h | -c KDC -r Realm -s Server -d Domain [ -i Database ] [ -K ] [ -t ticket_lifetime ] [ -n renew_lifetime ] –D [ -l {ldapserver | ldapserver:port} ] | -U
Description
This command configures the Kerberos client. The first part of the command reads realm name, KDC, VDB path, and domain name from the input and generates a krb5.conf file.
| Item | Description |
|---|---|
| /etc/krb5/krb5.conf: | Values for realm name, Kerberos admin server, and domain name are set as specified on the command line. Also updates the paths for default_keytab_name, kdc, and kadmin log files. |
If DCE is not configured, this command creates a link to /etc/krb5/krb5.conf from /etc/krb5.conf.
The command also allows you to configure root as admin user, configure integrated Kerberos authentication, and configure Kerberos as default authentication scheme.
For integrated login, the -i flag requires the name of the database being used. For LDAP, use the load module name that specifies LDAP. For local files, use the keyword files.
| Item | Description |
|---|---|
| Standard Output | Consists of information messages when the -h flag is used. |
| Standard Error | Consists of error messages when the command cannot complete successfully. |
Flags
| Item | Description |
|---|---|
| -a Admin | Specifies the principal name of the Kerberos server admin. |
| -A | Specifies root to be added as a Kerberos administrative user. |
| -c KDC | Specifies the KDC server. |
| -d Domain | Specifies the complete domain name for the Kerberos client. |
| -D | Specifies Kerberos against non-kadmind services. |
| -h | Specifies that the command is only to display the valid command syntax. |
| -i Database | Configures integrated Kerberos authentication. |
| -K | Specifies Kerberos to be configured as the default authentication scheme. |
| -l ldapserver | ldapserver:port | For servers, specifies the LDAP directory used to store the
Network Authentication Service principal and policy information. For clients, specifies the LDAP directory server to use for Administration server and KDC discovery using LDAP. If the -l flag is used, then the KDC and server flags are optional. If the -l option is not used, the KDC and server flags must be specified. The port number can optionally be specified. For clients and servers, the port number can optionally be specified. If the port number is not specified, the client connects to the default LDAP server port 389 or 636 for SSL connections. Note: Only the client configuration
is updated.
|
| -n renew_lifetime | Specifies the client-specific time to generate a renewable ticket if the server supports it. By default, the ticket is nonrenewable. The renew_lifetime parameter value is composed of four numeric values that are delimited by colons. |
| -r Realm | Specifies the full realm name for which the Kerberos client is to be configured. |
| -s Server | Specifies the fully qualified host name for Kerberos admin server. |
| -t ticket_lifetime | Specifies the client-specific ticket lifetime for received tickets if the server supports it. If you do not specify the flag, the server sets the ticket lifetime. The ticket_lifetime parameter value is composed of four numeric values that are delimited by colons. |
| -T | Specifies the flag to acquire server admin TGT based admin ticket. |
| -U | Undo the setup from the previous configuration command. |
Exit Status
Failure of this command to execute successfully may result in incomplete client configuration.
| Item | Description |
|---|---|
| 0 | Indicates the successful completion of the command. |
| 1 | Indicates that an error occurred. |
Security
A user with the aix.security.kerberos authorization is authorized to use this command.
Examples
- To display the command syntax, enter the following command:
mkkrb5clnt -h - To configure testbox.austin.ibm.com as a client to sundial.austin.ibm.com where
KDC is also running on sundial.austin.ibm.com, enter the following
command:
mkkrb5clnt -c sundial.austin.ibm.com -r UD3A.AUSTIN.IBM.COM \ -s sundial.austin.ibm.com -d austin.ibm.com - To configure testbox.austin.ibm.com as the client, make
root as the server admin, configure integrated login, configure Kerberos
as default authentication scheme, enter the following command:
mkkrb5clnt -c sundial.austin.ibm.com -r UD3A.AUSTIN.IBM.COM \ -s sundial.austin.ibm.com -d austin.ibm.com \ -A -i files -K -T - To configure testbox.austin.ibm.com as the client against
a non-AIX® machine, enter
the following command:
mkkrb5clnt -c non-aix.austin.ibm.com -r NON-AIX.AUSTIN.IBM.COM \ -s non-aix.austin.ibm.com -d austin.ibm.com –D - To configure testbox.austin.ibm.com as the client against
a non-AIX machine with
the ticket lifetime of 1 day, 2 hours, 3 minutes, and 4 seconds, and
the renew lifetime of 5 days, 6 hours, 7 minutes, and 8 seconds, enter
the following command:
mkkrb5clnt -c non-aix.austin.ibm.com -r NON-AIX.AUSTIN.IBM.COM \ -s non-aix.austin.ibm.com -d austin.ibm.com –D \ -t 1:2:3:4 -n 5:6:7:8
Files
| Item | Description |
|---|---|
| /usr/krb5/sbin | Contains the mkkrb5clnt command. |