HP CIFS Client A.02.02 Administrator's Guide
CIFS Security and Authentication
Using Kerberos with the HP CIFS Client
Chapter 350
The CIFS servers to which you want to connect via Kerberos with the
CIFS client must be joined to the Windows Domain. For more
information, refer to Windows online help or the HP CIFS Server
Administrator’s Guide.
For information on setting up user accounts on a Windows KDC, consult
online help for managing user Domain accounts.
To set up the HP-UX Kerberos client, consult the Configuration Guide
cited above in step 1. The following HP-UX man pages also contain
useful information: kerberos(9), krb5.conf(4), kpasswd(1), kinit(1),
klist(1), kdestroy(1).
Once you have set up these elements of your Kerberos infrastructure,
you can use the following checks to verify that everything is working. Do
not proceed to step 3 without performing this verification.
• To verify that user accounts have been set up properly on the KDC,
and that the Kerberos authentication service on the KDC and the
HP-UX Kerberos client can communicate properly, enter the
following command:
$ kinit name
where name is one of the user names. If the operation succeeds, a
Ticket-Granting Ticket (TGT) will be issued for name. To verify that
this actually occurred, execute the klist command to display the
contents of the ticket stored in the system Kerberos cache.
• To verify that CIFS servers have been properly configured as
member servers on the KDC, execute the test program,
cifsgettkt, located in /opt/cifsclient/bin:
$ cifsgettkt -s server
where server is one of the CIFS servers. This command uses the TGT
acquired with kinit to request a service ticket (ST) from the
Ticket-Granting Server (TGS). Because cifsgettkt is used only for
testing, it does not modify the system Kerberos cache. However, it
produces an informative message at the console.
If these verification steps succeed, Kerberos authentication for CIFS
clients and servers should succeed. You are ready to proceed to step
3.