Drift/Kerberos: Difference between revisions
< Drift
(initial revision) |
No edit summary |
||
| Line 5: | Line 5: | ||
Installer heimdal-clients | Installer heimdal-clients | ||
Legg til dette i bunnen av /etc/krb5.conf for å få de riktige krypto-algoritmene: | Legg til dette i bunnen av /etc/krb5.conf for å få de riktige krypto-algoritmene: <pre><nowiki> | ||
[kadmin] | [kadmin] | ||
default_keys = aes256-cts-hmac-sha1-96:pw-salt aes128-cts-hmac-sha1-96:pw-salt des3-cbc-sha1:pw-salt arcfour-hmac-md5:pw-salt | default_keys = aes256-cts-hmac-sha1-96:pw-salt aes128-cts-hmac-sha1-96:pw-salt des3-cbc-sha1:pw-salt arcfour-hmac-md5:pw-salt | ||
</nowiki></pre> | |||
Installer heimdal-kdc | Installer heimdal-kdc | ||
<pre><nowiki> | |||
asgard:~# kadmin -l | asgard:~# kadmin -l | ||
kadmin> init PVV.NTNU.NO | kadmin> init PVV.NTNU.NO | ||
| Line 23: | Line 23: | ||
kadmin: create_random_entry(kadmin/hprop@PVV.NTNU.NO): randkey failed: Principal or policy already exists | kadmin: create_random_entry(kadmin/hprop@PVV.NTNU.NO): randkey failed: Principal or policy already exists | ||
kadmin: kadm5_create_principal: Principal or policy already exists | kadmin: kadm5_create_principal: Principal or policy already exists | ||
</nowiki></pre> | |||
<pre><nowiki> | |||
kadmin> modify -a -disallow-all-tix,requires-pre-auth default | kadmin> modify -a -disallow-all-tix,requires-pre-auth default | ||
kadmin> get default | kadmin> get default | ||
| Line 45: | Line 45: | ||
PK-INIT ACL: | PK-INIT ACL: | ||
Aliases: | Aliases: | ||
</nowiki></pre> | |||
<pre><nowiki> | |||
kadmin> add knuta/admin | kadmin> add knuta/admin | ||
Max ticket life [1 day]: | Max ticket life [1 day]: | ||
| Line 56: | Line 56: | ||
knuta/admin@PVV.NTNU.NO's Password: | knuta/admin@PVV.NTNU.NO's Password: | ||
Verifying - knuta/admin@PVV.NTNU.NO's Password: | Verifying - knuta/admin@PVV.NTNU.NO's Password: | ||
</nowiki></pre> | |||
Rediger /etc/heimdal-kdc/kadmind.acl og legg til følgende:<pre><nowiki> | Rediger /etc/heimdal-kdc/kadmind.acl og legg til følgende:<pre><nowiki> | ||
Revision as of 12:56, 9 January 2010
Installasjon av KDC
Rediger /etc/hosts så public-ipen (f.eks. 129.241.210.168) peker på hostnavnet til kdc, ellers virker det ikke.
Installer heimdal-clients
Legg til dette i bunnen av /etc/krb5.conf for å få de riktige krypto-algoritmene:
[kadmin]
default_keys = aes256-cts-hmac-sha1-96:pw-salt aes128-cts-hmac-sha1-96:pw-salt des3-cbc-sha1:pw-salt arcfour-hmac-md5:pw-salt
Installer heimdal-kdc
asgard:~# kadmin -l kadmin> init PVV.NTNU.NO Realm max ticket life [unlimited]: Realm max renewable ticket life [unlimited]: kadmin: create_random_entry(krbtgt/PVV.NTNU.NO@PVV.NTNU.NO): randkey failed: Principal or policy already exists kadmin: create_random_entry(kadmin/changepw@PVV.NTNU.NO): randkey failed: Principal or policy already exists kadmin: create_random_entry(kadmin/admin@PVV.NTNU.NO): randkey failed: Principal or policy already exists kadmin: create_random_entry(changepw/kerberos@PVV.NTNU.NO): randkey failed: Principal or policy already exists kadmin: create_random_entry(kadmin/hprop@PVV.NTNU.NO): randkey failed: Principal or policy already exists kadmin: kadm5_create_principal: Principal or policy already exists
kadmin> modify -a -disallow-all-tix,requires-pre-auth default
kadmin> get default
Principal: default@PVV.NTNU.NO
Principal expires: never
Password expires: never
Last password change: 2009-06-16 18:16:07 UTC
Max ticket life: 1 day
Max renewable life: 1 week
Kvno: 1
Mkvno: 0
Last successful login: never
Last failed login: never
Failed login count: 0
Last modified: 2009-06-16 18:18:43 UTC
Modifier: kadmin/admin@PVV.NTNU.NO
Attributes: requires-pre-auth
Keytypes: aes256-cts-hmac-sha1-96(pw-salt), aes128-cts-hmac-sha1-96(pw-salt), des3-cbc-sha1(pw-salt), arcfour-hmac-md5(pw-salt)
PK-INIT ACL:
Aliases:
kadmin> add knuta/admin Max ticket life [1 day]: Max renewable life [1 week]: Principal expiration time [never]: Password expiration time [never]: Attributes [requires-pre-auth]: knuta/admin@PVV.NTNU.NO's Password: Verifying - knuta/admin@PVV.NTNU.NO's Password:
Rediger /etc/heimdal-kdc/kadmind.acl og legg til følgende:
knuta/admin all
Lag symlink (på grunn av en bug i heimdal-kdc):
ln -s /etc/heimdal-kdc/kadmind.acl /var/lib/heimdal-kdc/
Rediger /etc/heimdal-kdc/kdc.conf og sett følgende opsjoner:
[password_quality] min_length = 8 [kadmin] default_keys = aes256-cts-hmac-sha1-96:pw-salt aes128-cts-hmac-sha1-96:pw-salt des3-cbc-sha1:pw-salt arcfour-hmac-md5:pw-salt
Nye bokser
Legg til host principal
kadmin> add --random-key host/berners-lee.pvv.ntnu.no Max ticket life [1 day]: Max renewable life [1 week]: Principal expiration time [never]: Password expiration time [never]: Attributes [requires-pre-auth]:
Logg inn på maskinen.
installer heimdal:
berners-lee:~# aptitude install heimdal-clients
last ned keytab
berners-lee:~# ktutil get -p knuta/admin host/berners-lee.pvv.ntnu.no
Konfigurer pam (TODO: Dokumenter dette)