Configuration Guide for Kerberos Client Products on HP-UX 11.0 | HP-UX 11i v1 | HP-UX 11i v1.6 | HP-UX 11i v2
Configuring the Kerberos Environment
Configuration Files for Kerberos Clients
Chapter 3 71
The PAM Kerberos options are: renewable=<time>, forwardable,
proxiable, use_first_pass, try_first_pass, ignore, and debug.
REFERENCE
To view related manpages, issue the following commands:
shell%: man pam.conf
shell%: man pam_krb5
Appendix A, Sample pam.conf File, contains a sample /etc/pam.conf
file.
In the HP-UX 11i version, a sample pam.conf file for Kerberos is
available as /etc/pam.krb5.
krb5.conf The krb5.conf file specifies the defaults for the REALM and Kerberos
applications, mappings of the hostnames onto Kerberos REALMs, and the
location of KDCs for Kerberos REALMs. Application clients depend on the
configuration file /etc/krb5.conf to locate the REALM's KDC.
The [libdefaults] section of the krb5.conf file specifies various
parameters for the Kerberos library. In order for the utility klist to
work with PAM Kerberos, it must include “ccache_type = 2.”
[libdefaults]
default_realm =
KDC.SUBDOMAIN.DOMAIN.COM
default_tkt_enctypes = DES-CBC-CRC
default_tgs_enctypes = DES-CBC-CRC
ccache_type = 2
The [realms] section of the krb5.conf file specifies the KDC server and
the Kerberos admin server, kadmind that manages the administration
interface to KDC.
The default ports used by Kerberos are: port 88 for the KDC, port 749 for
the kadmin service, and port 751 for kpasswd. You can optionally choose
to run on other ports, as long as the ports are specified in each host’s
/etc/services, and in the krb5.conf files.
[realms]
KDC.SUBDOMAIN.DOMAIN.COM
= {
kdc =
hostname.subdomain.domain.com
:88
admin_server =
hostname.subdomain.domain.com
:749
}
To configure for multiple Kerberos REALMs, list them in the order of
priority, as in this example: