Red Hat SummitQuesto contenuto non è disponibile nella lingua selezionata.
Chapter 1. Logging in to Identity Management from the command line
Identity Management (IdM) uses the Kerberos protocol to provide single sign-on (SSO). You can use SSO to authenticate once with a username and password to gain access to all authorized IdM services without the system prompting for the credentials again.
In IdM, the SSSD automatically obtains a ticket-granting ticket (TGT) for a user after the user successfully logs in to the desktop environment on an IdM client machine with the corresponding Kerberos principal name. This means that after logging in, the user is not required to use the kinit utility to access IdM resources.
If you have cleared your Kerberos credential cache or your Kerberos TGT has expired, you must manually request a new ticket to maintain access to IdM resources. The following sections present basic user operations when using Kerberos in IdM.
1.1. Using kinit to log in to IdM manually
Authenticate to an Identity Management (IdM) environment manually by using the kinit utility. You can use this utility to obtain and cache a Kerberos ticket-granting ticket (TGT) if your initial ticket has expired or was destroyed.
As an IdM user, when logging onto your local machine you are also automatically logging in to IdM. This means that after logging in, you are not required to use the kinit utility to access IdM resources.
Procedure
To authenticate as the current local user, use
kinitwithout specifying a user name. For example, if you are logged in as<example_user>on the local system:kinit
[example_user@server ~]$ kinitCopy to Clipboard Copied! Toggle word wrap Toggle overflow Password for example_user@EXAMPLE.COM: [example_user@server ~]$
Password for example_user@EXAMPLE.COM: [example_user@server ~]$Copy to Clipboard Copied! Toggle word wrap Toggle overflow If the user name of the local user does not match any user entry in IdM, the authentication attempt fails:
kinit
[example_user@server ~]$ kinitCopy to Clipboard Copied! Toggle word wrap Toggle overflow kinit: Client 'example_user@EXAMPLE.COM' not found in Kerberos database while getting initial credentials
kinit: Client 'example_user@EXAMPLE.COM' not found in Kerberos database while getting initial credentialsCopy to Clipboard Copied! Toggle word wrap Toggle overflow To authenticate as a different IdM principal, specify the username with the
kinitcommand. For example, to log in as theadminuser:kinit admin
[example_user@server ~]$ kinit adminCopy to Clipboard Copied! Toggle word wrap Toggle overflow Password for admin@EXAMPLE.COM: [example_user@server ~]$
Password for admin@EXAMPLE.COM: [example_user@server ~]$Copy to Clipboard Copied! Toggle word wrap Toggle overflow NoteRequesting user tickets using
kinit -kt KDB: user@EXAMPLE.COMis disabled. For more information, see the Why kinit -kt KDB: user@EXAMPLE.COM no longer work after CVE-2024-3183 solution.
Verification
To verify that the login was successful, use the
klistutility to display the cached TGT. In the following example, the cache contains a ticket for the<example_user>principal, which means that on this particular host, only<example_user>is currently allowed to access IdM services:klist
$ klistCopy to Clipboard Copied! Toggle word wrap Toggle overflow Ticket cache: KEYRING:persistent:0:0 Default principal: example_user@EXAMPLE.COM Valid starting Expires Service principal 11/10/2019 08:35:45 11/10/2019 18:35:45 krbtgt/EXAMPLE.COM@EXAMPLE.COM
Ticket cache: KEYRING:persistent:0:0 Default principal: example_user@EXAMPLE.COM Valid starting Expires Service principal 11/10/2019 08:35:45 11/10/2019 18:35:45 krbtgt/EXAMPLE.COM@EXAMPLE.COMCopy to Clipboard Copied! Toggle word wrap Toggle overflow
1.2. Destroying a user’s active Kerberos ticket
You can clear the credentials cache by destroying your active Kerberos ticket. Destroying a Kerberos ticket ensures that any subsequent requests for services require a new ticket-granting ticket (TGT).
Procedure
To destroy your Kerberos ticket:
kdestroy
[example_user@server ~]$ kdestroyCopy to Clipboard Copied! Toggle word wrap Toggle overflow
Verification
To check that the Kerberos ticket has been destroyed:
klist
[example_user@server ~]$ klistCopy to Clipboard Copied! Toggle word wrap Toggle overflow klist: Credentials cache keyring 'persistent:0:0' not found
klist: Credentials cache keyring 'persistent:0:0' not foundCopy to Clipboard Copied! Toggle word wrap Toggle overflow
1.3. Configuring an external system for Kerberos authentication
Configure an external system that is not enrolled in the Identity Management (IdM) domain to support Kerberos authentication. By defining an IdM-specific Kerberos configuration file and setting the KRB5_CONFIG environment variable, users on external systems can authenticate against the IdM server and obtain Kerberos tickets.
Enabling Kerberos authentication on external systems is especially useful when your infrastructure includes multiple realms or overlapping domains. It is also useful if the system has not been enrolled into any IdM domain through ipa-client-install.
Prerequisites
The
krb5-workstationpackage is installed on the external system. To verify the installation, use the following CLI command:dnf list installed krb5-workstation
# dnf list installed krb5-workstationCopy to Clipboard Copied! Toggle word wrap Toggle overflow Installed Packages krb5-workstation.x86_64 1.16.1-19.el8 @BaseOS
Installed Packages krb5-workstation.x86_64 1.16.1-19.el8 @BaseOSCopy to Clipboard Copied! Toggle word wrap Toggle overflow
Procedure
Copy the
/etc/krb5.conffile from the IdM server to the external system. For example:scp /etc/krb5.conf root@externalsystem.example.com:/etc/krb5_ipa.conf
# scp /etc/krb5.conf root@externalsystem.example.com:/etc/krb5_ipa.confCopy to Clipboard Copied! Toggle word wrap Toggle overflow WarningDo not overwrite the existing
krb5.conffile on the external system.On the external system, set the terminal session to use the copied IdM Kerberos configuration file:
export KRB5_CONFIG=/etc/krb5_ipa.conf
$ export KRB5_CONFIG=/etc/krb5_ipa.confCopy to Clipboard Copied! Toggle word wrap Toggle overflow The
KRB5_CONFIGvariable exists only temporarily until you log out. To prevent this loss, export the variable with a different file name.Copy the Kerberos configuration snippets from the
/etc/krb5.conf.d/directory to the external system.Users on the external system can now use the
kinitutility to authenticate against the IdM server.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}