Este conteúdo não está disponível no idioma selecionado.
5.2. Logging into IdM Using Kerberos
	IdM uses the Kerberos protocol to support single sign-on. With Kerberos, users only need to present the correct username and password once and can access IdM services without the system prompting for credentials again.
			By default, only machines that are members of the IdM domain can use Kerberos to authenticate to IdM. However, it is possible to configure external systems for Kerberos authentication as well; for more information, see Section 5.4.4, “Configuring an External System for Kerberos Authentication to the Web UI”.
		
Using kinit
			To log in to IdM from the command line, use the 
kinit utility.
		Note
				To use 
kinit, the krb5-workstation package must be installed.
			
			When run without specifying a user name, 
kinit logs into IdM under the user name of the user that is currently logged-in on the local system. For example, if you are logged-in as local_user on the local system, running kinit attempts to authenticate you as the local_user IdM user:
		kinit
[local_user@server ~]$ kinit
Password for local_user@EXAMPLE.COM:
Note
				If the user name of the local user does not match any user entry in IdM, the authentication attempt fails.
			
			To log in as a different IdM user, pass the required user name as a parameter to the 
kinit utility. For example, to log in as the admin user:
		kinit admin
[local_user@server ~]$ kinit admin
Password for admin@EXAMPLE.COM:
Obtaining Kerberos Tickets Automatically
			The 
pam_krb5 pluggable authentication module (PAM) and SSSD can be configured to automatically obtain a TGT for a user after a successful login in to the desktop environment on an IdM client machine. This ensures that after logging in, the user is not required to run kinit.
		
			On IdM systems that have IdM configured in SSSD as the identity and authentication provider, SSSD obtains the TGT automatically after the user logs in with the corresponding Kerberos principal name.
		
			For information on configuring 
pam_krb5, see the pam_krb5(8) man page. For general information about PAM, see the System-Level Authentication Guide.
		Storing Multiple Kerberos Tickets
			By default, Kerberos only stores one ticket per logged-in user in the credential cache. Whenever a user runs 
kinit, Kerberos overwrites the currently-stored ticket with the new ticket. For example, if you use kinit to authenticate as user_A, the ticket for user_A will be lost after you authenticate again as user_B.
		
			To obtain and store another TGT for a user, set a different credential cache, which ensures the contents of the previous cache are not overwritten. You can do this in one of the following two ways:
		
- Run the export KRB5CCNAME=path_to_different_cache command, and then usekinitto obtain the ticket.
- Run the kinit -c path_to_different_cache command, and then reset theKRB5CCNAMEvariable.
			To restore the original TGT stored in the default credential cache:
		
- Run the kdestroy command.
- Restore the default credential cache location using the unset $KRB5CCNAME command.
Checking the Current Logged-in User
			To verify what TGT is currently stored and used for authentication, use the 
klist utility to list cached tickets. In the following example, the cache contains a ticket for user_A, which means that only user_A is currently allowed to access IdM services: