Rev | Author | # | Line |
---|---|---|---|
1 | DanielLawson | 1 | Setting up [Kerberos] 5 |
2 | |||
3 | Your Kerberos realm is normally the same as your DNS name, in capital letters. Therefore, if your DNS name is element.tla, your Kerberos realm will be ELEMENT.TLA | ||
4 | |||
5 | Under debian, install the following packages: | ||
6 | |||
7 | libkrb53 krb5-clients krb5-config krb5-doc krb5-user libpam-krb5 krb5-admin-server krb5-kdc | ||
2 | DanielLawson | 8 | |
9 | Enter your Kerberos realm, select 'nopreauth', and specify where your kerberos servers are (probably the curernt machine) | ||
10 | |||
11 | |||
12 | Run the following to set up your kerberos realm: | ||
13 | |||
14 | krb5_newrealm | ||
15 | |||
16 | This will set up the realm and create an administrative principal called root/admin@ELEMENT.TLA, if your realm is ELEMENT.TLA | ||
17 | |||
18 | |||
19 | Alternative: | ||
1 | DanielLawson | 20 | |
21 | Run the following the set up kerberos | ||
22 | (AddToMe) | ||
23 | |||
24 | kdb5_util create -r ELEMENT.TLA -s | ||
25 | echo "*/admin@ELEMENT.TLA *" > /etc/krb5kdc/kadm5.acl | ||
26 | kadmin.local | ||
27 | addprinc root/admin@ELEMENT.TLA | ||
28 | ktadd -k /etc/krb5kdc/kadm5.keytab kadmin/admin kadmin/changepw | ||
29 | quit | ||
30 | |||
31 | /etc/init.d/krb5-kdc restart | ||
32 | /etc/init.d/krb5-admin-server restart | ||
3 | PerryLorier | 33 | |
34 | ----- | ||
35 | check it works with | ||
36 | kinit root/admin | ||
37 | then | ||
38 | klist -e | ||
39 | to list your keys. if you don't have any keys, you've done something wrong. Good luck finding out what :) (but when you do... Wiki the problem/answer on this page) | ||
40 | |||
41 | ---- | ||
42 | kadmin.local has a whole heap of useful commands letting you add new users/delete users and change passwords. Neat! | ||
4 | HikariCrowther | 43 | |
5 | HikariCrowther | 44 | ---- |
45 | You might want avoid mixing [MIT] [KerberosV] and [Heimdal] KerberosV in your network, at least if you intend to use kadmin remotely from your KDC; which, of course, you do, it's the [Proper Way], after all. I've found that using Heimdal's kadmin to talk to your MIT KDC will just hang when you try to execute a command. | ||
4 | HikariCrowther | 46 | |
47 | ---- | ||
5 | HikariCrowther | 48 | [Microsoft] has an [Interoprability Guide|http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prdp_log_tjil.asp] on their website for setting up Windows 2000 and XP Professional to use interactive logins that use the KDC as the authentication source. |
4 | HikariCrowther | 49 | |
5 | HikariCrowther | 50 | Unfortunatly this guide is not complete, it fails to mention that [MIT]'s version of [KerberosV] and [Microsoft]'s implementation only share one enctype in common, namely DES-CBC-CRC. This means that when you add a host principle for a Windows machine you will need to use the "-e des-cbc-crc:normal" option to the ank command. Otherwise Windows will try to use its own RC4-HMAC enctype, which is not (currently) supported by MIT KerberosV; it possibly is supported by [Heimdal] [KerberosV]. |
lib/blame.php:177: Warning: Invalid argument supplied for foreach()