Add Kerberos Ticket (ADDKRBTKT)
| Where allowed to run: All environments (*ALL) Threadsafe: No |
Parameters Examples Error messages |
The Add Kerberos Ticket (ADDKRBTKT) command is used to obtain and cache Kerberos ticket-granting tickets. This command is similar to the kinit tool that is commonly found in other implementations of the Kerberos protocol, such as the SEAM and MIT Reference implementations.
Restrictions:
- The user must be registered as a principal with the Key Distribution Center (KDC) prior to running this command.
The Network Authentication Service Commands and APIs support job environments for most EBCDIC CCSIDs. CCSID 290 and 5026 are not supported because of the variance of lower-case letters a to z.
| Top |
Parameters
| Keyword | Description | Choices | Notes |
|---|---|---|---|
| PRINCIPAL | Principal | Element list | Required, Positional 1 |
| Element 1: Name | Character value | ||
| Element 2: Realm | Character value, *DFT | ||
| PASSWORD | Password | Character value | Optional, Positional 2 |
| KEYTABFILE | Keytab file | Path name, *DFT | Optional |
| CCF | Credentials cache file | Path name, *DFT | Optional |
| ALWFWD | Allow forwarding | *NO, *YES | Optional |
| ALWPRX | Allow proxy | *NO, *YES | Optional |
| Top |
Principal (PRINCIPAL)
Specifies the principal name of a user or service principal on a host name in a Kerberos network. The principal and key pairs in the keytab file allow services running on the host to be authenticated by a Key Distribution Center (KDC). All the principals are added to the Kerberos server which maintains a database of all users and services within a Kerberos realm.
This is a required parameter.
Element 1: Name
Specifies the principal name or service principal on a specified host name.
- character-value
- Specify the user name of the Kerberos principal.
The Kerberos principal has a minimum length of 1 character and a maximum length of 256 characters. Valid characters are case sensitive and include all alpha-numeric characters (a-z, A-Z, 0-9) and any printable ASCII character. The principal name format is taken from the Kerberos 5 GSS-API mechanism (RFC 1964).
Special characters allowed:
/ - delimit name components.
Element 2: Realm
Specifies the realm in which the Kerberos user is registered and in which initial authentication took place.
- *DFT
- The default realm for the local system will be used. Typically, the default realm and the KDC for that realm are indicated in the Kerberos krb5.conf configuration file. If the default realm has not been set, it is obtained from the default_realm entry in the [libdefaults] section of the Kerberos configuration file.
- character-value
- Specify the name of the Kerberos realm where the user specified for the first element of this parameter is registered.
The name has a minimum length of 1 character and a maximum length of 256 characters. Valid characters are case sensitive and include all alpha-numeric characters (a-z, A-Z, 0-9) and any printable ASCII character. The principal name format is taken from the Kerberos 5 GSS-API mechanism (RFC 1964).
Special characters allowed:
@ - start realm.
| Top |
Password (PASSWORD)
Specifies the password that allows the principal to authenticate in the Key Distribution Center (KDC).
This is a required parameter if the keytab file name is not defined.
- character-value
- Specify the password value. The password can be up to 255 characters long.
| Top |
Keytab file (KEYTABFILE)
Specifies the Kerberos keytab file where the group of principals and its keys are stored.
- *DFT
- The default keytab file for the current user will be used. If the KRB5_KTNAME environment variable is set, this is the name of the default keytab file. Otherwise, the keytab file name is obtained from the default_keytab_name entry in the [libdefaults] section of the Kerberos configuration file. If this entry is not defined, the default keytab file name is /QIBM/UserData/OS400/NetworkAuthentication/keytab/krb5.keytab.
- path-name
- Specify the path name of the stream file which contains the Kerberos keytab file to use.
| Top |
Credentials cache file (CCF)
Specifies the credentials cache file that this command will use. This cache is used to store each of the new tickets, the session key and other information in the corresponding KrbCredInfo sequence from the encrypted part of the KRB_CRED message.
- *DFT
- The default credentials cache file for the current user is used. If the KRB5CCNAME environment variable is set, this is the name of the default cache. Otherwise, the name is obtained from the file specified by the _EUV_SEC_KRB5CCNAME_FILE environment variable. If this environment variable is not set, the name is obtained from the krb5ccname in the HOME directory. If this file does not exist or if there is no default credentials cache name set in the file, a new credentials cache file is created.
- path-name
- Specify the path name of the credentials cache file to use.
| Top |
Allow forwarding (ALWFWD)
Specifies whether the Kerberos ticket will be forwardable.
The FORWARDABLE flag in a ticket is normally only interpreted by the ticket-granting service. It can be ignored by the application server.
The FORWARDABLE flag has an interpretation similar to that of the PROXIABLE flag, except ticket-granting tickets may also be issued with different network addresses.
This flag allows for authentication forwarding without requiring the user to enter a password again. If the flag is not set, then authentication forwarding is not permitted, but the same end result can still be achieved if the user engages in the authentication server exchange with the requested network addresses and supplies a password.
- *NO
- The ticket will not be forwardable.
- *YES
- The ticket will be forwardable.
| Top |
Allow proxy (ALWPRX)
Specifies whether the Kerberos ticket will be a proxiable ticket.
The PROXIABLE flag in a ticket is normally only interpreted by the service-granting service. It can be ignored by application servers. When this parameter is set to *YES, the ticket-granting server can issue a new ticket (but not a ticket-granting ticket) with a different network address based on this ticket.
- *NO
- The ticket is not proxiable.
- *YES
- The ticket is proxiable.
| Top |
Examples
Example 1: Adding a Forwardable Ticket
ADDKRBTKT PRINCIPAL('krbsrv400/guada.lajara.com')
PASSWORD('my1pwd') ALWFWD(*YES)
This command adds a forwardable ticket using the 'krbsrv400/guada.lajara.com' principal and the default realm.
Example 2: Adding a Proxiable Ticket
ADDKRBTKT PRINCIPAL('krbsrv400/guada.lajara.com')
PASSWORD('my1pwd') ALWPRX(*YES)
This command adds a proxiable ticket using the :'krbsrv400/guada.lajara.com' principal and the default realm.
Example 3: Adding a Ticket for Non-default Realm
ADDKRBTKT PRINCIPAL('krbsrv400/guada.lajara.com'
'MEX.ICO.COM')
PASSWORD('my1pwd') ALWFWD(*YES)
This command adds a forwardable ticket using the principal with user name 'krbsrv400/guada.lajara.com' and realm 'MEX.ICO.COM'.
| Top |
Error messages
*ESCAPE Messages
- CPFC602
- Keytab file &3 not found.
- CPFC608
- The default credential cache file name can not be obtained.
- CPFC609
- The principal from credential cache file &1 can not be retrieved.
- CPFC60A
- No initial ticket granting ticket (TGT) available.
- CPFC60B
- The initial credentials can not be obtained.
- CPFC60C
- The ticket from credentials cache &1 can not be retrieved.
- CPFC60E
- Password is not correct for principal.
- CPFC60F
- Initial credential can not be stored in credentials cache &1.
- CPFC610
- No default credentials cache found.
- CPFC611
- Credentials cache file operation fails.
- CPFC613
- The credentials cache directory can not be read.
- CPFC615
- The password can not be read.
- CPFC61B
- The principal name &3 can not be parsed.
| Top |