&app; is a small helper that monitors and refreshes your Kerberos ticket. 2009 Guido Günther Guido Günther &legal; Jonathan Blandford rjb@redhat.com Guido Günther agx@sigxcpu.org 2.0 &date; Guido Günther agx@sigxcpu.org This manual describes how to use the Kerberos Network Authentication Dialog to manage your Kerberos tickets. To report a bug or make a suggestion regarding this package or this manual, use GNOME's Bugzilla.

&application; Manual krb5-auth-dialog &app; is an applet for the GNOME desktop that monitors and refreshes your Kerberos ticket. It pops up reminders when the ticket is about to expire. Once you have acquired a Kerberos ticket - be it via GDM or via the applet itself - the applet will handle the ticket's renewal until it expires. It can also be used to destroy (remove) the credential cache, to acquire a ticket with different options or to switch to another principal.

&app; is usually started in GNOME startup, but you can manually start &app; by doing: Command line Type krb5-auth-dialog --always, then press Return: The tray icon will indicate one of tree states:

You have a valid Kerberos ticket that can be used to authenticate to network services.

The Kerberos ticket is about to expire but it can still be used to authenticate to network services.

Your Kerberos became invalid (e.g. expired). It can no longer be used to authenticate to network services. This is not a problem if the application that requires Kerberos knows how to request a new ticket via &application;. In case it doesn't you can just left click on the applet an reenter your password.

When &app; has started, the following notifications may be displayed.

You just acquired a valid Kerberos ticket that can be used to authenticate to network services.

Your Kerberos credentials are about to expire. You can left click on the tray applet to refresh them.

Your Kerberos credentials just expired. They can no longer be used to authenticate to network services.

You can set preferences by selecting "Preferences" from the applets context menu or by selecting "Network Authentication" in the Control Center. Dialog Element Description Kerberos Principal The Kerberos principal to use. Leave blank to use you current username. If you change this setting you have to destroy the credential cache before these setting takes effect. PKINIT Userid The principals public/private/certificate identifier. Leave empty if not using PKINIT. To enable using a security token add the path to the pkcs11 Library here, e.g. "PKCS11:/usr/lib/opensc/opensc-pkcs11.so" PKINIT anchors Path to CA certificates used as trust anchors for pkinit. You only need to set this if it hasn't been set up globally in /etc/krb5.conf forwardable Whether the requested Kerberos ticket should be forwardable. Changing this setting requires to you to reauthenticate by left clicking on the tray icon and entering your password. renewable Whether the requested Kerberos ticket should be renewable. Changing this setting requires to you to reauthenticate by left clicking on the tray icon and entering your password. proxiable Whether the requested Kerberos ticket should be proxiable. Changing this setting requires to you to reauthenticate by left clicking on the tray icon and entering your password. Warn .. minutes before expiry Notifications that your credentials are about to expire will be sent that many minutes before expiry. Show tray icon Whether to show the tray icon. Disabling the tray icon will also disable notifications, the password dialog will be brought up instead.