[3660] in Kerberos
Re: Looking for Documentation
daemon@ATHENA.MIT.EDU (Shawn Mamros)
Mon Aug 8 09:20:07 1994
Date: Mon, 8 Aug 94 09:07:08 EDT
To: kerberos@MIT.EDU
Cc: mamros@ftp.com
From: mamros@ftp.com (Shawn Mamros)
gaskell@dstc.qut.edu.au (Gary Gaskell) writes:
>Chris, try some Ultrix manuals for a start. They have a list of steps,
>which may help, but realise that the Ultrix Kerberos is limited.
I wouldn't recommend the ULTRIX manuals at all, for two reasons:
1) The original poster requested information on Kerberos V5.
ULTRIX uses V4.
2) ULTRIX only uses Kerberos for machine->machine authentication,
specifically to support network distribution of their "enhanced"
security authorization database. The principals needed for such
support are quite different from those used in a more "typical"
Kerberos environment, where user->service authentication is the norm.
The ULTRIX scheme doesn't even give principals to users, so learning
Kerberos configuration from the ULTRIX manuals will only lead to
(more) confusion.
In the interest of being constructive, here's some helpful hints
for the original poster...
- Look at the include file <krb5/osconf.h> to see where the various
configuration files (krb.conf, krb.realms, etc.) are expected to be.
If you don't like the directory specified, change it and recompile.
- krb.conf and krb.realms use the same format as they did in V4.
- The file src/config-files/services.append (part of the distribution)
shows what should be added to /etc/services. Note that there are also
sample krb.conf and krb.realms files in that directory as well, along
with man pages that describe those files.
- As for creating keyfiles (aka srvtab files), that's now done through
kdb5_edit (which replaces both kdb_edit and ext_srvtab from V4 days).
Take a look at the man page for kdb5_edit for more information. Keyfiles
now are named v5srvtab - again, see <krb5/osconf.h> for the exact
location.
- Instead of the two-part "principal.instance" names you had under V4,
you now have multi-component names, where the components are separated
by slash (/) characters. In most practical circumstances, though, you
won't have cause to use more than two components in a principal name.
Service principals are still two-part names, except that where you used
only a host's "short" name as the second part, you now use the fully-
qualified domain name. Also, the oft-used "rcmd" principal name from
V4 is now named "host" in V5, so you'll have principals that look like
"host/hostname.my.domain@MY.REALM", instead of "rcmd.hostname@MY.REALM".
Hope this helps...
-Shawn Mamros
E-mail to: mamros@ftp.com
