5.2. Logging into IdM Using Kerberos
IdM uses the Kerberos protocol to support single sign-on. With Kerberos, users only need to present the correct username and password once and can access IdM services without the system prompting for credentials again.
By default, only machines that are members of the IdM domain can use Kerberos to authenticate to IdM. However, it is possible to configure external systems for Kerberos authentication as well; for more information, see Section 5.4.4, “Configuring an External System for Kerberos Authentication to the Web UI”.
Using kinit
To log in to IdM from the command line, use the
kinit
utility.
Note
To use
kinit
, the krb5-workstation package must be installed.
When run without specifying a user name,
kinit
logs into IdM under the user name of the user that is currently logged-in on the local system. For example, if you are logged-in as local_user
on the local system, running kinit attempts to authenticate you as the local_user
IdM user:
[local_user@server ~]$ kinit Password for local_user@EXAMPLE.COM:
Note
If the user name of the local user does not match any user entry in IdM, the authentication attempt fails.
To log in as a different IdM user, pass the required user name as a parameter to the
kinit
utility. For example, to log in as the admin
user:
[local_user@server ~]$ kinit admin Password for admin@EXAMPLE.COM:
Obtaining Kerberos Tickets Automatically
The
pam_krb5
pluggable authentication module (PAM) and SSSD can be configured to automatically obtain a TGT for a user after a successful login in to the desktop environment on an IdM client machine. This ensures that after logging in, the user is not required to run kinit
.
On IdM systems that have IdM configured in SSSD as the identity and authentication provider, SSSD obtains the TGT automatically after the user logs in with the corresponding Kerberos principal name.
For information on configuring
pam_krb5
, see the pam_krb5(8) man page. For general information about PAM, see the System-Level Authentication Guide.
Storing Multiple Kerberos Tickets
By default, Kerberos only stores one ticket per logged-in user in the credential cache. Whenever a user runs
kinit
, Kerberos overwrites the currently-stored ticket with the new ticket. For example, if you use kinit
to authenticate as user_A
, the ticket for user_A
will be lost after you authenticate again as user_B
.
To obtain and store another TGT for a user, set a different credential cache, which ensures the contents of the previous cache are not overwritten. You can do this in one of the following two ways:
- Run the export KRB5CCNAME=path_to_different_cache command, and then use
kinit
to obtain the ticket. - Run the kinit -c path_to_different_cache command, and then reset the
KRB5CCNAME
variable.
To restore the original TGT stored in the default credential cache:
- Run the kdestroy command.
- Restore the default credential cache location using the unset $KRB5CCNAME command.
Checking the Current Logged-in User
To verify what TGT is currently stored and used for authentication, use the
klist
utility to list cached tickets. In the following example, the cache contains a ticket for user_A
, which means that only user_A
is currently allowed to access IdM services:
$ klist
Ticket cache: KEYRING:persistent:0:0
Default principal: user_A@EXAMPLE.COM
Valid starting Expires Service principal
11/10/2015 08:35:45 11/10/2015 18:35:45 krbtgt/EXAMPLE.COM@EXAMPLE.COM