Test network authentication service on iSeries A and iSeries B

After you complete the network authentication service configuration tasks for both of your systems, you need to verify that your configurations work correctly for both iSeries™ A and iSeries B. You can do this testing by completing these steps to request a ticket granting ticket for the iSeries A and iSeries B principals:
Note: Ensure that you have created a home directory for your iSeries user profile before performing this procedure.
  1. On a command line, enter QSH to start the Qshell Interpreter.
  2. Enter keytab list to display a list of principals registered in the keytab file. In this scenario, krbsvr400/iseriesa.myco.com@MYCO.COM should display as the principal name for iSeries A.
  3. Enter kinit -k krbsvr400/iseriesa.myco.com@MYCO.COM to request a ticket-granting ticket from the Kerberos server. By running this command, you can verify that your iSeries system has been configured properly and that the password in the keytab file matches the password stored on the Kerberos server. If this is successful then the kinit command will display without errors.
  4. Enter klist to verify that the default principal is krbsvr400/iseriesa.myco.com@MYCO.COM. This command displays the contents of a Kerberos credentials cache and verifies that a valid ticket has been created for the iSeries service principal and placed within the credentials cache on the iSeries system. 
     Ticket cache: FILE:/QIBM/USERDATA/OS400/NETWORKAUTHENTICATION/creds/krbcred
                                                                    
 Default principal: krbsvr400/iseriesa.myco.com@MYCO.COM  
                                                                            
Server: krbtgt/MYCO.COM@MYCO.COM              
  Valid 200X/06/09-12:08:45 to 20XX/11/05-03:08:45                          
$

 Repeat these steps using the service principal name for iSeries B: krbsvr400/iseriesb.myco.com@MYCO.COM

Now that you have tested network authentication service on iSeries A and iSeries B, you can create an EIM identifier for each of the administrators.

Parent topic: Scenario: Enable single signon for i5/OS
Previous topic: Create home directories on iSeries A and iSeries B
Next topic: Create EIM identifiers for two administrators, John Day and Sharon Jones