Manualshelf

HP CIFS Client A.02.02.03 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Common Internet File System (CIFS) Client/Server Software
21222324252627282930
To set up the HP-UX Kerberos client, consult the Configuration Guide cited above in step 1. The
following HP-UX man pages also contain useful information: kerberos(9), krb5.conf(4), kpasswd(1),
kinit(1), klist(1), kdestroy(1).
Once you have set up these elements of your Kerberos infrastructure, you can use the following
checks to verify that everything is working. Do not proceed to step 3 without performing this
verification.
To verify that user accounts have been set up properly on the KDC, and that the Kerberos
authentication service on the KDC and the HP-UX Kerberos client can communicate properly,
enter the following command:
$ kinit name
where name is one of the user names. If the operation succeeds, a Ticket-Granting Ticket (TGT)
will be issued for name. To verify that this actually occurred, execute the klist command to
display the contents of the ticket stored in the system Kerberos cache.
To verify that CIFS servers have been properly configured as member servers on the KDC,
execute the test program, cifsgettkt, located in /opt/cifsclient/bin:
$ cifsgettkt -s server
where server is one of the CIFS servers. This command uses the TGT acquired with kinit to
request a service ticket (ST) from the Ticket-Granting Server (TGS). Becausecifsgettkt is
used only for testing, it does not modify the system Kerberos cache. However, it produces an
informative message at the console.
If these verification steps succeed, Kerberos authentication for CIFS clients and servers should
succeed. You are ready to proceed to step 3.
Step 3. Configure Kerberos on the HP CIFS Client
Set the configuration parameter authenticationMethod to kerberos. The configuration
setting is:
authenticationMethod = kerberos;
Ensure there are no active CIFS mounts or logins at the server, and then login as illustrated in “User
Login Procedures” (page 23).
To ensure Kerberos is used, you can enable log levels, cifstrace and authentication, see “CIFS
Client Log File and Log Levels” (page 46) for information on log levels and log files. Once you
have verified that Kerberos has been negotiated and used for user authentication, disable cifstrace
and authentication logging.
CIFS Client Kerberos Authentication Policies
This section assumes that the CIFS server and client have negotiated the use of Kerberos.
Explicit login: cifslogin
Kerberos authentication is implemented transparently in this command. Required Kerberos credentials
(TGT and ST) are acquired from the KDC on behalf of the user and the Service Ticket (ST) is sent
to the CIFS server within a SESSION_SETUP request. No special action is performed by the user.
Automatic login: Integration with System Kerberos Cache (kinit(1) and PAM Kerberos)
This feature allows users to access mounted CIFS servers without uisng cifslogin. If you have
a pre-existing Ticket-Granting Ticket (TGT) in the system Kerberos cache, established with kinit(1)
or PAM Kerberos, you can attempt to access the CIFS mountpoint directly (cd, ls, etc.). The CIFS
Client uses the TGT to acquire a Service Ticket (ST) for the mounted CIFS server and performs a
CIFS login, all in the background. It is unnecessary for you to explicitly invoke cifslogin this
case.
26 CIFS Security and Authentication