| Rev | Author | # | Line |
|---|---|---|---|
| 1 | DanielLawson | 1 | Setting up [Kerberos] 5 |
| 2 | |||
| 3 | Your Kerberos realm is normally the same as your DNS name, in capital letters. Therefore, if your DNS name is element.tla, your Kerberos realm will be ELEMENT.TLA | ||
| 4 | |||
| 5 | Under debian, install the following packages: | ||
| 6 | |||
| 7 | libkrb53 krb5-clients krb5-config krb5-doc krb5-user libpam-krb5 krb5-admin-server krb5-kdc | ||
| 2 | DanielLawson | 8 | |
| 9 | Enter your Kerberos realm, select 'nopreauth', and specify where your kerberos servers are (probably the curernt machine) | ||
| 10 | |||
| 11 | |||
| 12 | Run the following to set up your kerberos realm: | ||
| 13 | |||
| 14 | krb5_newrealm | ||
| 15 | |||
| 16 | This will set up the realm and create an administrative principal called root/admin@ELEMENT.TLA, if your realm is ELEMENT.TLA | ||
| 17 | |||
| 18 | |||
| 19 | Alternative: | ||
| 1 | DanielLawson | 20 | |
| 21 | Run the following the set up kerberos | ||
| 22 | (AddToMe) | ||
| 23 | |||
| 24 | kdb5_util create -r ELEMENT.TLA -s | ||
| 25 | echo "*/admin@ELEMENT.TLA *" > /etc/krb5kdc/kadm5.acl | ||
| 26 | kadmin.local | ||
| 27 | addprinc root/admin@ELEMENT.TLA | ||
| 28 | ktadd -k /etc/krb5kdc/kadm5.keytab kadmin/admin kadmin/changepw | ||
| 29 | quit | ||
| 30 | |||
| 31 | /etc/init.d/krb5-kdc restart | ||
| 32 | /etc/init.d/krb5-admin-server restart | ||
| 3 | PerryLorier | 33 | |
| 34 | ----- | ||
| 35 | check it works with | ||
| 36 | kinit root/admin | ||
| 37 | then | ||
| 38 | klist -e | ||
| 39 | to list your keys. if you don't have any keys, you've done something wrong. Good luck finding out what :) (but when you do... Wiki the problem/answer on this page) | ||
| 40 | |||
| 41 | ---- | ||
| 42 | kadmin.local has a whole heap of useful commands letting you add new users/delete users and change passwords. Neat! | ||
| 4 | HikariCrowther | 43 | |
| 5 | HikariCrowther | 44 | ---- |
| 45 | You might want avoid mixing [MIT] [KerberosV] and [Heimdal] KerberosV in your network, at least if you intend to use kadmin remotely from your KDC; which, of course, you do, it's the [Proper Way], after all. I've found that using Heimdal's kadmin to talk to your MIT KDC will just hang when you try to execute a command. | ||
| 4 | HikariCrowther | 46 | |
| 47 | ---- | ||
| 48 | [Microsoft] has an [Interoprability Guide|http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prdp_log_tjil.asp] on their website for setting up Windows 2000 and XP Professional to use interactive logins that use the KDC as the authentication source. | ||
| 49 | |||
| 50 | Unfortunatly this guide is not complete, it fails to mention that [MIT]'s version of [KerberosV] and [Microsoft]'s implementation only share one enctype in common, namely DES-CBC-CRC. This means that when you add a host principle for a Windows machine you will need to use the "-e des-cbc-crc:normal" option to the ank command. Otherwise Windows will try to use its own RC4-HMAC enctype, which is not (currently) supported by MIT KerberosV; it possibly is supported by [Heimdal] [KerberosV]. |
lib/blame.php:177: Warning: Invalid argument supplied for foreach()