About Kerberos Configuration Files and LDAP Login Credentials
Kerberos configuration files often contain definitions for multiple Kerberos realms in the realms section of the file and a default realm specified in the libdefaults section.
Depending on what realm a user belongs to as specified in the libdefaults section of the Kerberos configuration file, their user name might need to be specified differently during login:
Realm Type | User Name Syntax | Example |
Non-Default | <user>@<non-default_realm_name> | mmhennington@2K8.HLP.NET |
Default | <user> | mmhennington |
Passwords are treated one of the following ways:
Password | New Tickets Obtained |
specified during login | The user principal and password are used to obtain: • A ticket-granting ticket from the Key Distribution Center (KDC) server • A service ticket for the Kerberos enabled LDAP server based on the new ticket-granting ticket |
left blank during login | The specified user principal obtains a ticket-granting ticket from the ticket cache or the Local Security Authority. |
The kinit command can be used to obtain a list of available tickets that reside in the ticket cache or Local Security Authority for principals.
Examples
To connect to an external LDAP server residing in the 2K8.HLP.NET realm and the Kerberos configuration file contains the realm settings for the 2K8.HLP.NET realm, but the default realm is SUPPORT.NET, then the user name would have to be specified as <user>@2K8.HLP.NET.