After you complete the network authentication service configuration
tasks for both of your systems, you need to verify that your configurations
work correctly for both System A and System B.
You can do this testing by completing these steps to request
a ticket granting ticket for the System A and System B principals:
Note: Ensure
that you have created a home directory for your IBM i user profile before
performing this procedure.
- On a command line, enter QSH to start the Qshell
Interpreter.
- Enter keytab list to display a list of principals
registered in the keytab file. In this scenario, krbsvr400/systema.myco.com@MYCO.COM
should display as the principal name for System A.
- Enter kinit -k krbsvr400/systema.myco.com@MYCO.COM to
request a ticket-granting ticket from the Kerberos server. By running
this command, you can verify that your IBM i has been configured
properly and that the password in the keytab file matches the password
stored on the Kerberos server. If this is successful then the kinit
command will display without errors.
- Enter klist to verify that the default principal
is krbsvr400/iseriesa.myco.com@MYCO.COM. This command displays the
contents of a Kerberos credentials cache and verifies that a valid
ticket has been created for the IBM i service principal
and placed within the credentials cache on the system.
Ticket cache: FILE:/QIBM/USERDATA/OS400/NETWORKAUTHENTICATION/creds/krbcred
Default principal: krbsvr400/systema.myco.com@MYCO.COM
Server: krbtgt/MYCO.COM@MYCO.COM
Valid 20XX/06/09-12:08:45 to 20XX/11/05-03:08:45
$
Repeat these steps using the service principal name
for System B: krbsvr400/systemb.myco.com@MYCO.COM
Now that you
have tested network authentication service on System A and System
B, you can create an EIM identifier for each of the administrators.