[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: =?gb2312?B?u9i4tKO6?= Re: kerberos setup, basic questions




> 1. Does this "host" is the hostname of service PC? And
> do I have to use hostname instead of the service PC's
> IP address??

The principal consits of 3 parts:

<Name> / <Instance> @ <Realm> (spaces inserted for readability)

For users <Name> obiously is the username, <Instance> is empty and
<Realm> is your Realm (obviously). Sometimes the <Instance> is used
for administrative accounts.

Example:

haba@KTH.SE
haba/admin@KTH.SE

For services (like telnet, rsh, ftp, nfs, afs) the <Name> is the service
name. telnet and rsh and ssh share the name "host" because a host
ist identified by it. <Instance> is the name of the host and <Realm>
again is as ususal.

Fictional examples:

host/loginserver.kth.se@KTH.SE
host/belgarath.lfs.org@LFS.ORG
afs/kth.se@KTH.SE

The confusing part is that all commands accept principals in short forms
where the "obvious" (default) parts are ommitted.

Example: 

kinit haba 

which means <Name> is haba, <Instance> is empty and <Realm> is default
(KTH.SE in my case).


> 2. If my hostname is kerberosA, the kerberosized
> service program is heimdal's telnetd, and my krb5.conf
> is following:
> 
> [libdefaults]
>         default_realm = WEDGIE.ORG
> 
> [realms]
>         WEDGIE.ORG = {
>                 kdc = 192.168.0.30
>                 admin_server = 192.168.0.30
>         }
> 
> [domain_realm]
>         .wedgie.org = WEDGIE.ORG
> 
> the "host" should be kerberosA  or admin_server?
> so will I input
> kadmin>add -r kerberosA/WEDGIE.ORG
> or the
> kadmin>add -r admin_server/WEDGIE.ORG

You need one for each host you want to login to.

It should be <Name>/<Instance>@<Realm> which in your case

probably is 

host/kerberosA.your.domain@WEDGIE.ORG 
host/kerberosB.your.domain@WEDGIE.ORG 
host/kerberosC.your.domain@WEDGIE.ORG 

or something like that

The Instance part must match what the IP address of the host resolves
to. For Kerberos to work, you must have a working setup of host name
resolving in both directions.

You said " kadmin>add -r ....", but it is easier to use ktutil get on
each of your hosts. It creates the principal in the KDC and makes the
corresponding /etc/krb5.keytab on the host.

Harald.