Configuration Guide for Kerberos Client Products on HP-UX

Configuring the Kerberos Environment

Configuring the Kerberos Client

Chapter 3 87

Configuring the Kerberos Client

To configure the Kerberos Client, complete the following steps:

1. Edit the configuration files, /etc/krb5.conf and /etc/services as

described in “Configuration Files for Kerberos Clients” on page 77.

2. All Kerberos systems need a

KEYTAB file (/etc/krb5.keytab) to

authenticate themselves to the KDC. Create a

KEYTAB file for each

KDC client on your KDC Server.

3. Transfer (ftp) the

KEYTAB file from the KDC Server to the client

without overwriting any keys installed for other applications. For

example, use /tmp/hostname.keytab as the temporary destination

filename. Use the Kerberos utility ktutil to merge the

KEYTAB data.

The following example shows how to merge the keytab using ktutil:

$ /usr/sbin/ktutil

ktutil: rkt /tmp/hostname.key

ktutil: list

You can view the KEYTAB file using klist command. For example:

# klist -k

Keytab name: FILE:/etc/krb5.keytab

KVNO Principal

----------------------------------------------------------

2 host/hostname.domain.com@KDC.SUBDOMAIN.DOMAIN.COM

4. If the UNIX users do not exist, add the equivalent KDC users as

UNIX users in the UNIX /etc/passwd password file. When creating

a credential file for a user, the user’s entry in the /etc/passwd is

accessed for its UID number.

5. Synchronize the KDC client’s clock to the KDC server’s clock (within

two minutes).