Red Hat Enterprise Linux 5 Administration Unleashed

284CHAPTER 12Identity Managementchkconfig kadmin onFor these services to start at boot time, a stash file must exist as described earlier.Connecting to the Kerberos ServerEach Kerberos client must have the krb5-workstation RPM package installed to providethe Kerberos user commands for requesting and managing tickets. It also providesKerberized versions of authentication utilities such as rlogin and ftp.On each client, edit the /etc/krb5.conf file to set the realm and the location of theserver for the realm. Replacing the example.com and EXAMPLE.COM instances in thedefault krb5.conf file is usually sufficient.The Kerberized applications must be enabled on each client. For example, to enable theKerberized telnet, make sure the krb5-telnet service is enabled and make sure usersexecute /usr/kerberos/bin/telnet instead of /usr/bin/telnet. To ensure the Kerberizedprograms are executed, verify that each user’s path includes /usr/kerberos/bin/ beforeany of the other directories containing the non-Kerberized versions of the commandssuch as /usr/bin/ or /usr/local/bin/. Other Kerberized applications include ftp, rsh,and rcp.If Kerberos is used, users must use the kpasswd command to change their passwordinstead of passwd. They must also use ksu instead of su to change to the root user.If the clients are configured to use klogin instead of login, each user is granted a ticket,and using the ticket is transparent to the user. Otherwise, the user must explicitly requesta ticket with the kinit utility. The user executes the kinit command, is prompted for hispassword, and is granted a ticket if the correct password is entered. The user is thenauthenticated for all Kerberized programs until the ticket expires, which is ten hours bydefault.A user can view his tickets and expiration dates with the klist command. A user can alsocancel his tickets immediately at any time by executing the kdestroy command. Becausethe user does not have to enter a password or any other form of identification forKerberized programs, users need to be careful about who has access to their computers orlogin sessions. If a user is going to be away from his computer, executing kdestroy toexpire his Kerberos tickets is recommended so that someone else can’t use his authenticationwhile he is away.Logging Kerberos ConnectionsIn the /etc/krb5.conf configuration file, the following logging section exists:[logging]default = FILE:/var/log/krb5libs.logkdc = FILE:/var/log/krb5kdc.logadmin_server = FILE:/var/log/kadmind.log