PAM Kerberos Release Note, HP 9000 Networking
Chapter 1 13
PAM Kerberos Release Note
Support Tools
Support Tools
The following tools are available on HP-UX 11.0 to manage the Kerberos credentials. They are
located under the directory of /usr/bin directory.
• kinit
• klist
• kdestroy
To configure for kinit and klist, create and modify the configuration files: /etc/krb5.conf
and /krb5/krb.conf.
/krb5/krb.conf
Create a krb.conf file using the sample listed under Appendix D and replace the underlined
REALM.HP.COM andhostname.hp.comwith the name of your Kerberos realm and hostname.
/etc/krb5.conf
Create a krb5.conf file using the sample listed under Appendix B . It should contain
"ccache_type = 2" under the [libdefaults].
kinit kinit performs initial authentication with the KDC using the principal name
and the password provided by the user. kinit is used to obtain new tickets or
re-initialize expired tickets. Since PAM Kerberos, libpam_krb5.1, does not
use kinit to authenticate with the KDC, kinit is only used to refresh expired
tickets.
If a credential file, /tmp/pam_krb5/creds/krb5cc_uid, does not exist, then
it is created to store the credentials. If a credential files has been created,
then the credentials are written into the file pointed to by the variable
KRB5CCNAME.
kinit does not support -R option for credential refreshment. See “Known
Problems and Workarounds” and “Known Limitations” for more
information.
See kinit(1) man page for a full description.
Kdestroy kdestroy removes the login context and associated credential file.
A user's credentials are not automatically removed by exiting from a shell or
logging out. The user should manually remove the credential cache files
before logging out using the kdestroy command.
If the user uses csh, then kdestroy may be included in the .logout file in the