More options and some text about windows clients, certificate and KDCs.
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17337 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
@@ -1184,15 +1184,15 @@ PKCS12:/path/to/file.pfx
|
|||||||
|
|
||||||
@end table
|
@end table
|
||||||
|
|
||||||
@section Configuring the kerberos software
|
@section Configure the Kerberos software
|
||||||
|
|
||||||
Add configuration options to krb5.conf
|
Write about configuration options to krb5.conf.
|
||||||
|
|
||||||
kinit
|
Write about kinit.
|
||||||
|
|
||||||
kdc
|
Write about the kdc.
|
||||||
|
|
||||||
@section Configuring the client
|
@section Configure the client
|
||||||
|
|
||||||
@example
|
@example
|
||||||
[appdefaults]
|
[appdefaults]
|
||||||
@@ -1202,11 +1202,13 @@ kdc
|
|||||||
EXAMPLE.COM = @{
|
EXAMPLE.COM = @{
|
||||||
pkinit_require_eku = true
|
pkinit_require_eku = true
|
||||||
pkinit_require_krbtgt_otherName = true
|
pkinit_require_krbtgt_otherName = true
|
||||||
|
win2k_pkinit = no
|
||||||
|
win2k_pkinit_require_binding = yes
|
||||||
@}
|
@}
|
||||||
|
|
||||||
@end example
|
@end example
|
||||||
|
|
||||||
@section Configuring the KDC
|
@section Configure the KDC
|
||||||
|
|
||||||
@example
|
@example
|
||||||
[kdc]
|
[kdc]
|
||||||
@@ -1225,8 +1227,8 @@ Note that the file this is space sensitive.
|
|||||||
@example
|
@example
|
||||||
# cat /var/heimdal/pki-mapping
|
# cat /var/heimdal/pki-mapping
|
||||||
# comments starts with #
|
# comments starts with #
|
||||||
lha@EXAMPLE.ORG:C=SE,O=Stockholm universitet,CN=Love,UID=lha
|
lha@@EXAMPLE.ORG:C=SE,O=Stockholm universitet,CN=Love,UID=lha
|
||||||
lha@EXAMPLE.ORG:CN=Love,UID=lha
|
lha@@EXAMPLE.ORG:CN=Love,UID=lha
|
||||||
@end example
|
@end example
|
||||||
|
|
||||||
@subsection Using Kerberos database
|
@subsection Using Kerberos database
|
||||||
@@ -1278,3 +1280,39 @@ openssl x509 -extensions user_certificate
|
|||||||
@c #subjectAltName = email:copy
|
@c #subjectAltName = email:copy
|
||||||
|
|
||||||
|
|
||||||
|
@section Using PK-INIT with Windows
|
||||||
|
|
||||||
|
@subsection Client configration
|
||||||
|
|
||||||
|
Clients using a Windows KDC with PK-INIT need configuration since
|
||||||
|
windows uses pre-standard format and this can't be autodetected.
|
||||||
|
|
||||||
|
The win2k_pkinit_require_binding option requires the reply for the KDC
|
||||||
|
to be of the new, secure, type that binds the request to reply. Before
|
||||||
|
clients should fake the reply from the KDC. To use this option you
|
||||||
|
have to apply a fix from Microsoft.
|
||||||
|
|
||||||
|
@example
|
||||||
|
[realms]
|
||||||
|
MY.MS.REALM = @{
|
||||||
|
win2k_pkinit = yes
|
||||||
|
win2k_pkinit_require_binding = no
|
||||||
|
@}
|
||||||
|
@end example
|
||||||
|
|
||||||
|
@subsection Certificates
|
||||||
|
|
||||||
|
The client certificates needs to have the extended keyusage ``Microsoft
|
||||||
|
Smartcardlogin'' (openssl have the oid shortname msSmartcardLogin).
|
||||||
|
|
||||||
|
See Microsoft Knowledge Base Article - 281245 ``Guidelines for Enabling
|
||||||
|
Smart Card Logon with Third-Party Certification Authorities'' for a
|
||||||
|
more extensive description of how set setup an external CA to it
|
||||||
|
includes all information that will make a Windows KDC happy.
|
||||||
|
|
||||||
|
@subsection Configure Windows 2000 CA
|
||||||
|
|
||||||
|
To enable Microsoft Smartcardlogin> for certificates in your Windows
|
||||||
|
2000 CA, you want to look at Microsoft Knowledge Base Article -
|
||||||
|
313274 ``HOW TO: Configure a Certification Authority to Issue
|
||||||
|
Smart Card Certificates in Windows''.
|
||||||
|
|||||||
Reference in New Issue
Block a user