[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Incomplete documentation
- To: heimdal-discuss@sics.se
- Subject: Incomplete documentation
- From: Martin MOKREJŠ <mmokrejs@natur.cuni.cz>
- Date: Wed, 17 Sep 2003 23:56:55 +0200 (CEST)
- In-Reply-To: <xofk78o1lyc.fsf@blubb.pdc.kth.se>
- References: <Pine.OSF.4.51.0309041617460.382176@tao.natur.cuni.cz><xofoey01uwp.fsf@blubb.pdc.kth.se> <Pine.OSF.4.51.0309041641310.382176@tao.natur.cuni.cz><xofk78o1lyc.fsf@blubb.pdc.kth.se>
- Sender: owner-heimdal-discuss@sics.se
On Thu, 4 Sep 2003, Johan Danielsson wrote:
> Martin MOKREJS <mmokrejs@natur.cuni.cz> writes:
>
> > Actually I do use heimdal but with fallback support for kerberos 4
> > as we use AFS.
>
> AFS works with Kerberos 5 these days.
But http://www.pdc.kth.se/heimdal/heimdal.html#Building%20and%20Installing
says:
--with-krb4=dir
Gives the location of Kerberos 4 libraries and headers. This enables Kerberos 4 support in the applications (telnet, rsh, popper, etc) and the KDC. It is automatically check for in /usr/athena. If you keep libraries and headers in different places, you can instead give the path to each with the --with-krb4-lib=dir, and --with-krb4-include=dir options.
You will need a fairly recent version of our Kerberos 4 distribution for rshd and popper to support version 4 clients.
--enable-kaserver
Enables experimental kaserver support in the KDC. This is the protocol used by the "KDC" in AFS. Requires Kerberos 4 support.
--enable-kaserver-db
Enables experimental support for reading kaserver databases in hprop. This is useful when migrating from a kaserver to a Heimdal KDC.
So, how am I supposed to configure heimdal whe want to use AFS? With or
without --with-krb4. How about the --enable-kaserver option. As I do not
need to convert from krb4 to krb5 type databse, I can omit
--enable-kaserver-db, right?
------------------------------------------
I have heimdal up and running, even with afs, but I'm not sure if it is
because the KDC is still hemidal compiled with support for krb4 and
kaserver, or because of the krb5.conf containing
[kadmin]
default_etypes = des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:
default_etypes_des = des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3 des-cbc-crc:
or something else.
-------------------------------------------
The docs at http://www.pdc.kth.se/heimdal/heimdal.html are really
insufficient. For example, on slaves, am I supposed "kdc -s"?
It says only about hpropd. With krb4, we used to run "kerberos -s" on
slaves ...
-------------------------------------------
Another question, how is the database on slaves encrypted? Does it use
the master key from master KDC? I guess not. So where is the master key
used on slaves?Is that the hprop/host key?
-------------------------------------------
http://www.pdc.kth.se/heimdal/heimdal.html#Slave%20Servers contains a typo:
"Every slave needs a keytab with a principal, hprop/hostname. Add that with
the ktutil command and start propd, as follows:
slave# ktutil get -p foo/admin host/`hostname`
slave# hpropd
"
I believe there should be in example:
slave# ktutil get -p foo/admin hprop/`hostname`
slave# hpropd
Thanks for help
--
Martin Mokrejs <mmokrejs@natur.cuni.cz>, <m.mokrejs@gsf.de>
PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs
MIPS / Institute for Bioinformatics <http://mips.gsf.de>
GSF - National Research Center for Environment and Health
Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany
tel.: +49-89-3187 3683 , fax: +49-89-3187 3585