mkkrb5clnt Command

Purpose

Configures a Kerberos client.

Syntax

To configure Kerberos against IBM® Network Authentication Service only:

mkkrb5clnt -h | [ -c KDC -r Realm -s Server -U [ -a Admin ] -d Domain [ -A ] [ -i Database ] [ -K ] [ -T ] [ -t ticket_lifetime ] [ -n renew_lifetime ] ] [ -l {ldapserver | ldapserver:port} ]

To configure Kerberos against non-kadmind services:

mkkrb5clnt -h | -c KDC -r Realm -s Server -d Domain [ -i Database ] [ -K ] [ -t ticket_lifetime ] [ -n renew_lifetime ] –D [ -l {ldapserver | ldapserver:port} ] | -U

Description

This command configures the Kerberos client. The first part of the command reads realm name, KDC, VDB path, and domain name from the input and generates a krb5.conf file.

Item Description
/etc/krb5/krb5.conf: Values for realm name, Kerberos admin server, and domain name are set as specified on the command line. Also updates the paths for default_keytab_name, kdc, and kadmin log files.

If DCE is not configured, this command creates a link to /etc/krb5/krb5.conf from /etc/krb5.conf.

The command also allows you to configure root as admin user, configure integrated Kerberos authentication, and configure Kerberos as default authentication scheme.

For integrated login, the -i flag requires the name of the database being used. For LDAP, use the load module name that specifies LDAP. For local files, use the keyword files.

Item Description
Standard Output Consists of information messages when the -h flag is used.
Standard Error Consists of error messages when the command cannot complete successfully.

Flags

Item Description
-a Admin Specifies the principal name of the Kerberos server admin.
-A Specifies root to be added as a Kerberos administrative user.
-c KDC Specifies the KDC server.
-d Domain Specifies the complete domain name for the Kerberos client.
-D Specifies Kerberos against non-kadmind services.
-h Specifies that the command is only to display the valid command syntax.
-i Database Configures integrated Kerberos authentication.
-K Specifies Kerberos to be configured as the default authentication scheme.
-l ldapserver | ldapserver:port For servers, specifies the LDAP directory used to store the Network Authentication Service principal and policy information.

For clients, specifies the LDAP directory server to use for Administration server and KDC discovery using LDAP. If the -l flag is used, then the KDC and server flags are optional. If the -l option is not used, the KDC and server flags must be specified. The port number can optionally be specified.

For clients and servers, the port number can optionally be specified. If the port number is not specified, the client connects to the default LDAP server port 389 or 636 for SSL connections.

Note: Only the client configuration is updated.
-n renew_lifetime Specifies the client-specific time to generate a renewable ticket if the server supports it. By default, the ticket is nonrenewable. The renew_lifetime parameter value is composed of four numeric values that are delimited by colons.
-r Realm Specifies the full realm name for which the Kerberos client is to be configured.
-s Server Specifies the fully qualified host name for Kerberos admin server.
-t ticket_lifetime Specifies the client-specific ticket lifetime for received tickets if the server supports it. If you do not specify the flag, the server sets the ticket lifetime. The ticket_lifetime parameter value is composed of four numeric values that are delimited by colons.
-T Specifies the flag to acquire server admin TGT based admin ticket.
-U Undo the setup from the previous configuration command.

Exit Status

Failure of this command to execute successfully may result in incomplete client configuration.

Item Description
0 Indicates the successful completion of the command.
1 Indicates that an error occurred.

Security

A user with the aix.security.kerberos authorization is authorized to use this command.

Examples

  1. To display the command syntax, enter the following command:
    mkkrb5clnt -h
  2. To configure testbox.austin.ibm.com as a client to sundial.austin.ibm.com where KDC is also running on sundial.austin.ibm.com, enter the following command:
    mkkrb5clnt -c sundial.austin.ibm.com -r UD3A.AUSTIN.IBM.COM \
    -s sundial.austin.ibm.com -d austin.ibm.com
  3. To configure testbox.austin.ibm.com as the client, make root as the server admin, configure integrated login, configure Kerberos as default authentication scheme, enter the following command:
    mkkrb5clnt -c sundial.austin.ibm.com -r UD3A.AUSTIN.IBM.COM \
    -s sundial.austin.ibm.com -d austin.ibm.com \
    -A -i files -K -T
  4. To configure testbox.austin.ibm.com as the client against a non-AIX® machine, enter the following command:
    mkkrb5clnt -c non-aix.austin.ibm.com -r NON-AIX.AUSTIN.IBM.COM \
    -s non-aix.austin.ibm.com -d austin.ibm.com –D
  5. To configure testbox.austin.ibm.com as the client against a non-AIX machine with the ticket lifetime of 1 day, 2 hours, 3 minutes, and 4 seconds, and the renew lifetime of 5 days, 6 hours, 7 minutes, and 8 seconds, enter the following command:
    mkkrb5clnt -c non-aix.austin.ibm.com -r NON-AIX.AUSTIN.IBM.COM \
    -s non-aix.austin.ibm.com -d austin.ibm.com –D \
    -t 1:2:3:4 -n 5:6:7:8

Files

Item Description
/usr/krb5/sbin Contains the mkkrb5clnt command.