4.1 - Authenticate with kinit on Linux


You first have to make sure kinit is installed.

You can check that by typing kinit in a console :

$ kinit --version
kinit (Heimdal 1.4.1apple1)
Copyright 1995-2010 Kungliga Tekniska Högskolan
Send bug-reports to heimdal-bugs@h5l.org

Then, you have to configure the krb5.conf file (it can be found in /etc/krb5.conf, if not just add it).

A minimal /etc/krb5.conf file looks as follows (make sure the port and host name matches!):

    default_realm = EXAMPLE.COM

            kdc = example.net:60088

    .example.com = EXAMPLE.COM
    example.com = EXAMPLE.COM

Check that the Kerberos sevrer is started, then try to get a ticket from a user that exists in the base (here, we use hnelson, which is a user we created for test purposes. His password is ‘secret’)

$ kinit hnelson@EXAMPLE.COM
Password for hnelson@EXAMPLE.COM:

You should not get any error. If you’ve get some, see later in this chapter.

Now, let’s check that we have correctly obtained a ticket. We will use the klist tool for that :

$ klist -v
Credentials cache: API:501:9
        Principal: hnelson@EXAMPLE.COM
    Cache version: 0

Client: hnelson@EXAMPLE.COM
Ticket etype: aes128-cts-hmac-sha1-96
Ticket length: 256
Auth time:  Feb 11 16:11:36 2013
End time:   Feb 12 02:11:22 2013
Renew till: Feb 18 16:11:36 2013
Ticket flags: pre-authent, initial, renewable, forwardable
Addresses: addressless

As we can see, we have obtained a ticket which will expire 6 hours after its creation, which can be renexed for 7 days, encrypted using AES-128 algorithm, ticket that can be used by the TGS.

All is good !


So it does not work…

There are many possible reason why you can’t get a ticket.

kinit: krb5_get_init_creds: unable to reach any KDC in realm EXAMPLE.COM

Such a error says that the server is not reachable. Check those points :

  • Is the server started ?
  • Is the EXAMPLE.COM domain declared in your DNS (or /etc/hosts file) ?