[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Incomplete documentation

Martin MOKREJŠ <mmokrejs@natur.cuni.cz> writes:

> So, how am I supposed to configure heimdal whe want to use AFS? With or
> without --with-krb4. How about the --enable-kaserver option. As I do not
> need to convert from krb4 to krb5 type databse, I can omit
> --enable-kaserver-db, right?

--enable-kaserver requires krb4 libs, so for that you'll need a working
  krb4 are you still using a kaserver/kaserver emulation ?

--enable-kaserver-db is just for dumping a kaserver krb4 database. If you
  are no longer running a kaserver, you don't need it.

> The docs at http://www.pdc.kth.se/heimdal/heimdal.html are really
> insufficient. For example, on slaves, am I supposed "kdc -s"?
> It says only about hpropd. With krb4, we used to run "kerberos -s" on
> slaves ...

There is no -s (slave flag) for heimdal kdc. The old "kerberos" v4 kdc used
to look at the data and if it was "old" refused to serve any of the data.

> Another question, how is the database on slaves encrypted? Does it use
> the master key from master KDC? I guess not. So where is the master key
> used on slaves?Is that the hprop/host key?

Its encrypted with the master key in /var/heimdal/m-key, the
hprop/`hostname` keys are just for authentication and transport encryption
when dumping the database.

> http://www.pdc.kth.se/heimdal/heimdal.html#Slave%20Servers contains a typo:
> "Every slave needs a keytab with a principal, hprop/hostname. Add that with
> the ktutil command and start propd, as follows:
> slave# ktutil get -p foo/admin host/`hostname`
> slave# hpropd
> "
> I believe there should be in example:
> slave# ktutil get -p foo/admin hprop/`hostname`
> slave# hpropd

This is fixed in the info documentation, just not propagated to the


PGP signature