Managing network authentication service
After you have configured network authentication service, you can request tickets, work with key table files, and administer host name resolution. You can also work with credentials files and back up configuration files.
System i user tasks
The System i™ platform can also operate as a client in a Kerberos-enabled network. Users can sign on to the system and perform Kerberos-related tasks through the Qshell Interpreter.
The following tasks use several Qshell commands to perform common tasks for users.
If you are using the PC5250 emulator in iSeries Navigator,
you need to change the Remote sign-on system value to enable you to bypass the sign-on. To change the Remote sign-on system value, follow these steps:
- In iSeries Navigator,
expand your system > Configuration and Service > System Values > Sign-on.
- On the Remote page, select Allow sign-on to be bypassed and Source and target user IDs must match, and click OK.
Network authentication service administration tasks
The following tasks that can be performed by an administrator in iSeries Navigator. For more task-based information,
see the iSeries Navigator help for network authentication service.
- Synchronizing system times
Network authentication service uses 5 minutes (300 seconds) as the default for the maximum amount of time that system times can be different. You can change the clock difference by working with the network authentication service properties.
- Adding realms
Before you can add a realm to the i5/OS configuration, you need to configure the Kerberos server for the new realm. To add a realm to the i5/OS network authentication service task, you need the realm name, the name of the Kerberos server, and the port on which it listens.
- Deleting realms
As the network administrator, you might want to delete an unneeded or unused realm from the network authentication service configuration. You might also need to remove a default realm to recover from some application problems with applications that are integrated on the system.
- Adding a Kerberos server to a realm
You can add a Kerberos server to a realm using network authentication service. Before you add the Kerberos server to the realm, you need to know the name and the port on which it listens.
- Adding a password server
The password server allows Kerberos principals to change their passwords.
- Creating a trust relationship between realms
Establishing a trust relationship between realms creates a shortcut for authentication.
- Changing host resolution
To resolve host names and realm names, specify an LDAP server, a Domain Name System (DNS), and static mappings.
- Adding encryption settings
You can select the encryption types for ticket-granting tickets (TGT) and ticket-granting service (TGS).
- Obtaining or renewing ticket-granting tickets
The kinit command obtains or renews a Kerberos ticket-granting ticket.
- Displaying credentials cache
The klist command displays the contents of a Kerberos credentials cache.
- Managing keytab files
You can maintain the keytab file using either the character-based interface or iSeries Navigator.
- Changing Kerberos passwords
The kpasswd command changes the password for the specified Kerberos principal using the password change service.
- Deleting expired credentials cache files
The kdestroy command deletes a Kerberos credentials cache file. Users need to periodically delete old credentials by using the kdestroy command.
- Managing Kerberos service entries in LDAP directories
The ksetup command manages Kerberos service entries in the LDAP server directory.
- Defining realms in the DNS database
You can define realms in the DNS database to resolve host names.
- Defining realms in the LDAP server
Network authentication service allows you to use the LDAP server to resolve a host name into a Kerberos realm and to find the KDC for a Kerberos realm.
Parent topic:
Network authentication service