[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: =?gb2312?B?u9i4tKO6?= Re: kerberos setup, basic questions

> 1. Does this "host" is the hostname of service PC? And
> do I have to use hostname instead of the service PC's
> IP address??

The principal consits of 3 parts:

<Name> / <Instance> @ <Realm> (spaces inserted for readability)

For users <Name> obiously is the username, <Instance> is empty and
<Realm> is your Realm (obviously). Sometimes the <Instance> is used
for administrative accounts.



For services (like telnet, rsh, ftp, nfs, afs) the <Name> is the service
name. telnet and rsh and ssh share the name "host" because a host
ist identified by it. <Instance> is the name of the host and <Realm>
again is as ususal.

Fictional examples:


The confusing part is that all commands accept principals in short forms
where the "obvious" (default) parts are ommitted.


kinit haba 

which means <Name> is haba, <Instance> is empty and <Realm> is default
(KTH.SE in my case).

> 2. If my hostname is kerberosA, the kerberosized
> service program is heimdal's telnetd, and my krb5.conf
> is following:
> [libdefaults]
>         default_realm = WEDGIE.ORG
> [realms]
>         WEDGIE.ORG = {
>                 kdc =
>                 admin_server =
>         }
> [domain_realm]
>         .wedgie.org = WEDGIE.ORG
> the "host" should be kerberosA  or admin_server?
> so will I input
> kadmin>add -r kerberosA/WEDGIE.ORG
> or the
> kadmin>add -r admin_server/WEDGIE.ORG

You need one for each host you want to login to.

It should be <Name>/<Instance>@<Realm> which in your case

probably is 


or something like that

The Instance part must match what the IP address of the host resolves
to. For Kerberos to work, you must have a working setup of host name
resolving in both directions.

You said " kadmin>add -r ....", but it is easier to use ktutil get on
each of your hosts. It creates the principal in the KDC and makes the
corresponding /etc/krb5.keytab on the host.