Updated.
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@4097 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Johan Danielsson
@@ -66,14 +66,11 @@ library will be used instead.
|
|||||||
@node Finishing the installation, , Building and Installing, Building and Installing
|
@node Finishing the installation, , Building and Installing, Building and Installing
|
||||||
@section Loose threads
|
@section Loose threads
|
||||||
|
|
||||||
The
|
|
||||||
@pindex rsh
|
|
||||||
@code{rsh} program in this distribution presently isn't usable with
|
|
||||||
non-kerberised @code{rshd}s. It should not be installed set-uid to root.
|
|
||||||
|
|
||||||
@pindex login
|
@pindex login
|
||||||
The @code{telnetd} daemon will try to use the @code{login} found in the
|
There is a login program in the distribution, but it isn't built by
|
||||||
@file{/usr/athena/bin} directory. If you don't have a working login
|
default, and might not work as expected. Instead, @code{telnetd} will
|
||||||
program there (it should grok the @samp{-f} flag), you can either start
|
try to use the @code{login} found in the @file{/usr/athena/bin}
|
||||||
telnetd with the @samp{-L} flag, or edit the definition of @code{BINDIR}
|
directory. If you don't have a working login program there (it should
|
||||||
in @file{telnetd.h}.
|
grok the @samp{-f} flag), you can either start telnetd with the
|
||||||
|
@samp{-L} flag, or edit the definition of @code{BINDIR} in
|
||||||
|
@file{telnetd.h}.
|
||||||
|
|||||||
@@ -31,9 +31,9 @@ popper, etc.)
|
|||||||
include enough backwards compatibility with Kerberos V4
|
include enough backwards compatibility with Kerberos V4
|
||||||
@end itemize
|
@end itemize
|
||||||
|
|
||||||
This initial pre-version is mostly compatible with the M.I.T
|
This initial pre-version is mostly compatible with the M.I.T.
|
||||||
implementation, as well as DCE secd. The library is at least not
|
implementation, as well as DCE secd. The library is at least not
|
||||||
completely different from the M.I.T @code{libkrb5}.
|
completely different from the M.I.T. @code{libkrb5}.
|
||||||
|
|
||||||
@heading Status
|
@heading Status
|
||||||
|
|
||||||
@@ -66,8 +66,8 @@ a library @file{libkafs} for authenticating to AFS and a program
|
|||||||
@item
|
@item
|
||||||
some simple test programs
|
some simple test programs
|
||||||
@item
|
@item
|
||||||
a KDC that supports most things, not including cross-realm and
|
a KDC that supports most things; optionally, it may also support
|
||||||
user-to-user, optionally, it may also support Kerberos V4 and kaserver,
|
Kerberos V4 and kaserver,
|
||||||
@item
|
@item
|
||||||
simple programs for distributing databases between a KDC master and
|
simple programs for distributing databases between a KDC master and
|
||||||
slaves
|
slaves
|
||||||
@@ -75,7 +75,7 @@ slaves
|
|||||||
a password changing daemon @file{kpasswdd}, library functions for
|
a password changing daemon @file{kpasswdd}, library functions for
|
||||||
changing passwords and a simple client
|
changing passwords and a simple client
|
||||||
@item
|
@item
|
||||||
an incredibly simple @file{kdb_edit}
|
some kind of administration system
|
||||||
@item
|
@item
|
||||||
Kerberos V4 support in many of the applications.
|
Kerberos V4 support in many of the applications.
|
||||||
@end itemize
|
@end itemize
|
||||||
|
|||||||
@@ -39,20 +39,22 @@ assignments. The value of a variable extends to the end of the line.
|
|||||||
var = yet another value
|
var = yet another value
|
||||||
@end example
|
@end example
|
||||||
|
|
||||||
To denote entries in the config file, the names of sections and bindings
|
In this manual, names of sections and bindings will be given as strings
|
||||||
will be given separated with slashes (@samp{/}). The @samp{other-var}
|
separated by slashes (@samp{/}). The @samp{other-var} variable will thus
|
||||||
variable will thus be @samp{section1/a-subsection/other-var}.
|
be @samp{section1/a-subsection/other-var}.
|
||||||
|
|
||||||
For in-depth information about the contents of the config file, refer to
|
For in-depth information about the contents of the config file, refer to
|
||||||
the @file{krb5.conf} manual page. Some of the more important sections
|
the @file{krb5.conf} manual page. Some of the more important sections
|
||||||
are briefly described here. The @samp{libdefaults} section contains a
|
are briefly described here.
|
||||||
list of library configuration parameters, such as the default realm and
|
|
||||||
the timeout for kdc responses. The @samp{realms} section contains
|
The @samp{libdefaults} section contains a list of library configuration
|
||||||
information about specific realms, such as where they hide their
|
parameters, such as the default realm and the timeout for kdc
|
||||||
KDC. This section serves the same purpose as the Kerberos 4
|
responses. The @samp{realms} section contains information about specific
|
||||||
@file{krb.conf} file, but can contain more information. Finally the
|
realms, such as where they hide their KDC. This section serves the same
|
||||||
@samp{domain_realm} section contains a list of mappings from domains to
|
purpose as the Kerberos 4 @file{krb.conf} file, but can contain more
|
||||||
realms, equivalent to the Kerberos 4 @file{krb.realms} file.
|
information. Finally the @samp{domain_realm} section contains a list of
|
||||||
|
mappings from domains to realms, equivalent to the Kerberos 4
|
||||||
|
@file{krb.realms} file.
|
||||||
|
|
||||||
To continue with the realm setup, you will have to create a config file,
|
To continue with the realm setup, you will have to create a config file,
|
||||||
with contents similar to the following.
|
with contents similar to the following.
|
||||||
@@ -89,33 +91,31 @@ Master key:
|
|||||||
Verifying password - Master key:
|
Verifying password - Master key:
|
||||||
@end example
|
@end example
|
||||||
|
|
||||||
To initialise the database use the @code{kdb_edit} program. First issue
|
To initialise the database use the @code{kadmin} program, with the
|
||||||
a @kbd{init MY.REALM} command. This will create the database and insert
|
@samp{-l} option (to enable local database mode). First issue a
|
||||||
|
@kbd{init MY.REALM} command. This will create the database and insert
|
||||||
default principals for that realm. You can have more than one realm in
|
default principals for that realm. You can have more than one realm in
|
||||||
one database, so @samp{init} does not destroy any old database.
|
one database, so @samp{init} does not destroy any old database.
|
||||||
|
|
||||||
Before creating the database, @samp{init} will ask you some questions
|
Before creating the database, @samp{init} will ask you some questions
|
||||||
about default and max ticket lifetimes. The default values should be fine.
|
about max ticket lifetimes.
|
||||||
|
|
||||||
After creating the database you should probably add yourself. You do
|
After creating the database you should probably add yourself. You do
|
||||||
this with the @samp{ank} command. It takes as argument the name of a
|
this with the @samp{add} command. It takes as argument the name of a
|
||||||
principal. The principal should contain a realm, so if you haven't setup
|
principal. The principal should contain a realm, so if you haven't setup
|
||||||
a default realm, you will need to explicitly include the realm.
|
a default realm, you will need to explicitly include the realm.
|
||||||
|
|
||||||
@example
|
@example
|
||||||
# kdb_edit
|
# kadmin -l
|
||||||
kdb_edit: Database is encrypted
|
kadmin> init MY.REALM
|
||||||
kdb_edit> init MY.REALM
|
Realm max ticket life [unlimited]:
|
||||||
Realm max ticket life: [infinite]
|
Realm max renewable ticket life [unlimited]:
|
||||||
Realm max renewable ticket life: [infinite]
|
kadmin> add me
|
||||||
Default ticket life: [1 day]
|
Max ticket life [unlimited]:
|
||||||
Default renewable ticket life: [7 days]
|
Max renewable life [unlimited]:
|
||||||
kdb_edit> ank me
|
Attributes []:
|
||||||
Max ticket life [1 day]:
|
Password:
|
||||||
Max renewable ticket [7 days]:
|
Verifying password - Password:
|
||||||
Flags [client, server, postdate, renewable, proxiable, forwardable]:
|
|
||||||
Password:
|
|
||||||
Verifying password - Password:
|
|
||||||
@end example
|
@end example
|
||||||
|
|
||||||
Now start the KDC and try getting a ticket.
|
Now start the KDC and try getting a ticket.
|
||||||
@@ -125,7 +125,7 @@ Now start the KDC and try getting a ticket.
|
|||||||
# kinit me
|
# kinit me
|
||||||
me@@MY.REALMS's Password:
|
me@@MY.REALMS's Password:
|
||||||
# klist
|
# klist
|
||||||
Credentials cache: /tmp/krb5cc_3008
|
Credentials cache: /tmp/krb5cc_0
|
||||||
Principal: me@@MY.REALM
|
Principal: me@@MY.REALM
|
||||||
|
|
||||||
Issued Expires Principal
|
Issued Expires Principal
|
||||||
@@ -134,40 +134,34 @@ Aug 25 07:25:55 Aug 25 17:25:55 krbtgt/MY.REALM@@MY.REALM
|
|||||||
|
|
||||||
To verify that the contents of the database you can use the @samp{dump}
|
To verify that the contents of the database you can use the @samp{dump}
|
||||||
command to list all the entries. It should look something similar to
|
command to list all the entries. It should look something similar to
|
||||||
the following example (note that the entries here are divided into two
|
the following example (note that the entries here are truncated for
|
||||||
lines for typographical reasons):
|
typographical reasons):
|
||||||
|
|
||||||
@smallexample
|
@smallexample
|
||||||
kdb_edit> dump
|
kadmin> dump
|
||||||
krbtgt/MY.REALM@@MY.REALM 1:0:1:0001010000010000:- \
|
me@@MY.REALM 1:0:1:0b01d3cb7c293b57:-:0:7:8aec316b9d1629e3baf8 ...
|
||||||
19970908002104:kadmin@@MY.REALM - - - - - - 62
|
kadmin/admin@@MY.REALM 1:0:1:e5c8a2675b37a443:-:0:7:cb913ebf85 ...
|
||||||
default@@MY.REALM 0 \
|
krbtgt/MY.REALM@@MY.REALM 1:0:1:52b53b61c875ce16:-:0:7:c8943be ...
|
||||||
19970908002104:kadmin@@MY.REALM - - - - 86400 604800 128
|
kadmin/changepw@@MY.REALM 1:0:1:f48c8af2b340e9fb:-:0:7:e3e6088 ...
|
||||||
kadmin/changepw@@MY.REALM 1:0:1:2213b905229d3990:- \
|
|
||||||
19970908002104:kadmin@@MY.REALM - - - - 86400 604800 545
|
|
||||||
me@@MY.REALM 1:0:1:908f1cf6110487cc:- \
|
|
||||||
19970908002112:kadmin@@MY.REALM - - - - 86400 604800 126
|
|
||||||
@end smallexample
|
@end smallexample
|
||||||
|
|
||||||
@section keytabs
|
@section keytabs
|
||||||
|
|
||||||
To extract a service ticket from the database and put it in a keytab you
|
To extract a service ticket from the database and put it in a keytab you
|
||||||
need to first create the principal in the database with @samp{ank}
|
need to first create the principal in the database with @samp{ank}
|
||||||
(entering @kbd{random} for password) and then extract it with
|
(using the @kbd{--random} flag to get a random password) and then
|
||||||
@samp{ext_keytab}.
|
extract it with @samp{ext_keytab}.
|
||||||
|
|
||||||
@example
|
@example
|
||||||
# kdb_edit
|
kadmin> add --random host/my.host.name
|
||||||
kdb_edit> ank host/my.host.name
|
Max ticket life [unlimited]:
|
||||||
Max ticket life [1 day]:
|
Max renewable life [unlimited]:
|
||||||
Max renewable life [1 week]:
|
Attributes []:
|
||||||
Flags [client, server, postdate, renewable, proxiable, forwardable]:
|
kadmin> ext host/my.host.name
|
||||||
Password:
|
|
||||||
Verifying password - Password:
|
|
||||||
kdb_edit> ext host/my.host.name
|
|
||||||
# ktutil list
|
# ktutil list
|
||||||
Version Type Principal
|
Version Type Principal
|
||||||
1 1 host/my.host.name@@MY.REALM
|
1 des host/my.host.name@@MY.REALM
|
||||||
|
1 des3 host/my.host.name@@MY.REALM
|
||||||
@end example
|
@end example
|
||||||
|
|
||||||
@section Testing clients and servers
|
@section Testing clients and servers
|
||||||
|
|||||||
Reference in New Issue
Block a user