HP CIFS Client A.01.09 Administrator's Guide, August 2003
CIFS Authentication Using Kerberos
Using Kerberos with the HP CIFS Client
Chapter 448
The CIFS servers to which you want to connect via Kerberos with the
CIFS client must be joined to the Windows Domain. Windows online help
contains information on how this can be accomplished.
If you want to set up user principals on a Windows 2000 KDC, consult
online help for managing user Domain accounts.
To set up the HP-UX Kerberos client, consult the Configuration Guide
cited above in step 1. The following HP-UX man pages also contain
useful information: kerberos(9), krb5.conf(4), kpasswd(1), kinit(1),
klist(1), kdestroy(1).
Once you have set up these elements of your Kerberos infrastructure,
you can use the following checks to verify that everything is working.
Please do not proceed to step 3 without performing this verification.
• To verify that the user principals have been set up properly on the
KDC, and that the Kerberos authentication service on the KDC and
the HP-UX Kerberos client can communicate properly, enter:
$ kinit name
where name is one of the user principals. If the operation succeeds, a
Ticket-Granting Ticket (TGT) will be issued for name. To verify that
this actually occurred, execute the klist command to display the
contents of the ticket stored in the system Kerberos cache.
• To verify that the CIFS server has been properly configured in the
KDC, execute the test program, cifsgettkt, located in
/opt/cifsclient/bin:
$ cifsgettkt -s server
where server is one of the CIFS servers. This command will use the
TGT acquired with kinit to request a service ticket (ST) from the
Ticket-Granting Server (TGS). Because cifsgettkt is used only for
testing, it does not modify the system Kerberos cache. However, it
produces an informative message at the console.
If these verification steps succeed, Kerberos authentication for CIFS
clients and servers should succeed. You are ready to proceed to step
3.