Authorization

For Kerberos V5 authorization to succeed, a mapping must exist on the application server that authorizes the user principal to operate as the login user. The term "login user'' refers to the user whose account is being accessed on the remote host. This is not necessarily the same user who originally issued the kinit or dce_login command.

Assume David has already issued the kinit command. In this example, David enters the following command, in which Susan is the login user:

$ rlogin -l susan hostA

Authorization is successful if both of the following requirements are met:

· The login user must have an entry in the /etc/passwd file on the application server (remote host).

· One of the following conditions must be true:

- A $HOME/.k5login file must exist in the login user's home directory on the application server and contain an entry for the authenticated user principal. This file must be owned by the login user, and only the login user can have write permission.

- A Kerberos V5 authorization name database file called /krb5/aname must exist on the application server and contain a mapping of the user principal to the login user. This condition requires additional tools only available in a full Kerberos environment.

- The user name in the user principal must be the same as the login user name, and the client and server systems must be in the same realm.