From f50a7f177e99290f1f6470b0a02fa6b787882577 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= Date: Mon, 13 Dec 2004 17:10:44 +0000 Subject: [PATCH] add new node: Providing Kerberos credentials to servers and programs git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@14395 ec53bebd-3082-4978-b11e-865c3cabbd6b --- doc/setup.texi | 47 +++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 45 insertions(+), 2 deletions(-) diff --git a/doc/setup.texi b/doc/setup.texi index ae6b1ca03..b8d39cfec 100644 --- a/doc/setup.texi +++ b/doc/setup.texi @@ -20,6 +20,7 @@ * Setting up DNS:: * Using LDAP to store the database:: * Using Samba LDAP password database:: +* Providing Kerberos credentials to servers and programs:: @end menu A @@ -773,7 +774,7 @@ configuration file. Make sure you include the schema: @example -include /usr/local/etc/openldap/schema/krb5-kdc.schema +include /usr/local/etc/openldap/schema/hdb.schema @end example Start the slapd with the local listener (as well as the default TCP/IP @@ -843,7 +844,7 @@ Now consider adding indexes to the database to speed up the access. @url{https://sec.miljovern.no/bin/view/Info/TroubleshootingGuide} -@node Using Samba LDAP password database, , Using LDAP to store the database, Setting up a realm +@node Using Samba LDAP password database, Providing Kerberos credentials to servers and programs, Using LDAP to store the database, Setting up a realm @section Using Samba LDAP password database @cindex Samba @@ -852,3 +853,45 @@ Write text here. Note that the samba domain and the realm realm can have diffrent names since arcfour's string to key function principal/realm independent. + +@node Providing Kerberos credentials to servers and programs, , Using Samba LDAP password database, Setting up a realm +@section Providing Kerberos credentials to servers and programs + +Some service require Kerberos credentials when they start to make +connections to other services or use them when they have started. + +The easiest way to get ticket for the a service is to store the key in +a keytab. Both ktutil get and kadmin ext can be used to get a +keytab. ktutil get is better in that way it changes the key/password +for the user. This the problem with the ktutil. It ktutil is used for +the same service principal on several hosts, they keytab will only +useful on the last host. In that case, run the command on host and +copy the keytab around to all other hosts that needs it. + +@example +host# ktutil -k /etc/krb5-service.keytab \ + get -p lha/admin@@EXAMPLE.ORG service-principal@@EXAMPLE.ORG +lha/admin@@EXAMPLE.ORG's Password: +@end example + +To get a Kerberos credential file for the service, use kinit in the +--keytab mode, this will not ask for a password but rather that the +key from the keytab. + +@example +service@@host$ kinit --cache=/var/run/service_krb5_cache \ + --keytab=/etc/krb5-service.keytab \ + service-principal@@EXAMPLE.ORG +@end example + +Long running services might need credentials longer then the expiration +time of the tickets. kinit can run in a mode that refreshes the +tickets before the expire. This is useful for services that write into +AFS and other distributed file systems using Kerberos. + +@example +service@@host$ kinit --cache=/var/run/service_krb5_cache \ + --keytab=/etc/krb5-service.keytab \ + service-principal@@EXAMPLE.ORG script-to-start-service +@end example +