I want to manually login to a ldap-server. For authentication Kerberos is used. I am registered there with username and pw.
kinit username@servername
It works fine and a valid TGT is created which I can view using
klist
But how to proceed after. How can I use the TGT in order to connect to the ldap-server?
I've read, that a keytab-file is required here. But I have no krb5.keytab-file generated at /etc/.
Best Answer
as always, 'it depends'. I assume you are using some kind of linux.
For one-off authentication, provided your ldap client supports GSSAPI, you can use the GSSAPI mechanism. So once you kinit successfuly and you have a tgt ticket, then you can use something like this (using the publicly available freeipa demo (http://www.freeipa.org/page/Demo):
As you see I could bind using the kerberos ticket, got no results because there are no locked accounts there. But it succeeded.
Using keybabs is not much more complicated, but you need to retrieve one first (or have one retrieved for you). The method for doing that varies per kerberos vendor (for AD kerberos usually you get it using ktpass.exe, on linux talking to AD kerberos you could use msktutil (https://fuhm.net/software/msktutil/) which is not standard software delivered by all distributions, but works really well, for linux hosts on a freeipa kerberos domain you can use ipa-getkeytab (http://www.freeipa.org/page/V4/Keytab_Retrieval), on standard MIT kerberos you could use ktutil (http://web.mit.edu/kerberos/krb5-latest/doc/admin/admin_commands/ktutil.html).
Once you have the keytab, you need to use it with kinit -k -t /path/to/keytab_file -c /path/to/kerberos/cache youruser@YOUR.REALM
After that you can use the KRB5CCNAME environment variable, you need to point it to the path where you saved the keytab cache with the -c switch, in your script to authenticate to the ldap server. Obviously, the ticket will expire after a couple of hours, so you need to renew it using cron or k5start.
You do not want to use the /etc/krb5.keytab file; that is the host file (computers are users as well when joined to a kerberos realm). You will want to have an application/user keytab specific for your needs.