About Kerberos Configuration Files and LDAP Login Credentials

Kerberos configuration files often contain definitions for multiple Kerberos realms in the realms section of the file and a default realm specified in the libdefaults section.

Depending on what realm a user belongs to as specified in the libdefaults section of the Kerberos configuration file, their user name might need to be specified differently during login:

Realm Type	User Name Syntax	Example
Non-Default	<user>@<non-default_realm_name>	mmhennington@2K8.HLP.NET
Default	<user>	mmhennington

Passwords are treated one of the following ways:

Password	New Tickets Obtained
specified during login	The user principal and password are used to obtain: • A ticket-granting ticket from the Key Distribution Center (KDC) server • A service ticket for the Kerberos enabled LDAP server based on the new ticket-granting ticket
left blank during login	The specified user principal obtains a ticket-granting ticket from the ticket cache or the Local Security Authority.

The kinit command can be used to obtain a list of available tickets that reside in the ticket cache or Local Security Authority for principals.

Examples

To connect to an external LDAP server residing in the 2K8.HLP.NET realm and the Kerberos configuration file contains the realm settings for the 2K8.HLP.NET realm, but the default realm is SUPPORT.NET, then the user name would have to be specified as <user>@2K8.HLP.NET.