add some text on slaves and new extension of kadmind.acl
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@8730 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Assar Westerlund
@@ -1,4 +1,5 @@
|
|||||||
@node Setting up a realm, Things in search for a better place, Building and Installing, Top
|
@node Setting up a realm, Things in search for a better place, Building and Installing, Top
|
||||||
|
|
||||||
@chapter Setting up a realm
|
@chapter Setting up a realm
|
||||||
|
|
||||||
A
|
A
|
||||||
@@ -186,7 +187,7 @@ Access to the admin server is controlled by an acl-file, (default
|
|||||||
@file{/var/heimdal/kadmind.acl}.) The lines in the access file, has the
|
@file{/var/heimdal/kadmind.acl}.) The lines in the access file, has the
|
||||||
following syntax:
|
following syntax:
|
||||||
@smallexample
|
@smallexample
|
||||||
principal [priv1,priv2,...]
|
principal [priv1,priv2,...] [glob-pattern]
|
||||||
@end smallexample
|
@end smallexample
|
||||||
|
|
||||||
The privileges you can assign to a principal are: @samp{add},
|
The privileges you can assign to a principal are: @samp{add},
|
||||||
@@ -195,6 +196,11 @@ The privileges you can assign to a principal are: @samp{add},
|
|||||||
@samp{all}. All of these roughly corresponds to the different commands
|
@samp{all}. All of these roughly corresponds to the different commands
|
||||||
in @samp{kadmin}.
|
in @samp{kadmin}.
|
||||||
|
|
||||||
|
If a @var{glob-pattern} is given on a line, it restricts the right for
|
||||||
|
the principal to only apply for the subjects that match the pattern.
|
||||||
|
The patters are of the same type as those used in shell globbing, see
|
||||||
|
@url{none,,fnmatch(3)}.
|
||||||
|
|
||||||
@section Password changing
|
@section Password changing
|
||||||
|
|
||||||
To allow users to change their passwords, you should run @samp{kpasswdd}.
|
To allow users to change their passwords, you should run @samp{kpasswdd}.
|
||||||
@@ -245,3 +251,42 @@ verified that it is at least six characters of length.
|
|||||||
|
|
||||||
Now you should be able to run all the clients and servers. Refer to the
|
Now you should be able to run all the clients and servers. Refer to the
|
||||||
appropriate man pages for information on how to use them.
|
appropriate man pages for information on how to use them.
|
||||||
|
|
||||||
|
@section Slave servers
|
||||||
|
|
||||||
|
It is desirable to have at least one backup (slave) server in case the
|
||||||
|
master server fails. It is possible to have any number of such slave
|
||||||
|
servers but more than three usually doesn't buy much more redundancy.
|
||||||
|
|
||||||
|
All Kerberos servers for a realm shall have the same database so that
|
||||||
|
they present the same service to all the users. The
|
||||||
|
@pindex hprop
|
||||||
|
@code{hprop} program, running on the master, will propagate the database
|
||||||
|
to the slaves, running
|
||||||
|
@pindex hpropd
|
||||||
|
@code{hpropd} processes.
|
||||||
|
|
||||||
|
Every slave needs a keytab with a principal,
|
||||||
|
@samp{hprop/@var{hostname}}. Add that with the
|
||||||
|
@pindex ktutil
|
||||||
|
@code{ktutil} command and start
|
||||||
|
@pindex hpropd
|
||||||
|
@code{propd}, as follows:
|
||||||
|
|
||||||
|
@example
|
||||||
|
slave# ktutil get -p foo/admin host/slave
|
||||||
|
slave# hpropd
|
||||||
|
@end example
|
||||||
|
|
||||||
|
The master will use the principal @samp{kadmin/hprop} to authenticate to
|
||||||
|
the slaves. This principal should be added when running @kbd{kadmin -l
|
||||||
|
init} but if you do not have it in your database for whatever reason,
|
||||||
|
please add it with @kbd{kadmin -l add}.
|
||||||
|
|
||||||
|
Then run
|
||||||
|
@pindex hprop
|
||||||
|
@code{hprop} on the master:
|
||||||
|
|
||||||
|
@example
|
||||||
|
master# hprop slave
|
||||||
|
@end example
|
||||||
|
|||||||
Reference in New Issue
Block a user