[4364] in Kerberos
Kerberos 5 - what to do after you install
daemon@ATHENA.MIT.EDU (Andrew Gross)
Sat Dec 17 06:31:31 1994
Date: Sat, 17 Dec 94 03:25:07 -0800
From: Andrew Gross <drew@drew.sdsc.edu>
To: kerberos@MIT.EDU
Hello,
Hobbit has encouraged me to offer these instructions. They come
from the K4 setup instructions, from looking at code, and from notes
on this mailing list.
These are not the most clear instructions. They are terse and are
no help if something is not working. If there are comments/edits
to make these more useful to the public at large, I'll try to add them
in my copious free time.
Enjoy,
Andrew Gross
=========================================================================
From: grossa@sdsc.edu
> Can you send me the krb set up info?
Ok, first...
In .../krb5/admin
./krb5_create
Give it the master kerberos password
./krb5_stash
Give it the master kerberos password
./kdb5_edit
ldb
You should see something like:
(Replace DARK.UCSD.EDU with your realm)
entry: K/M@DARK.UCSD.EDU
entry: krbtgt/DARK.UCSD.EDU@DARK.UCSD.EDU
These are the kerberos master and tgt service (clearly).
Now add following principals with ark (random key since services):
kadmin/DARK.UCSD.EDU@DARK.UCSD.EDU
for kadmin and kpasswd
Now add user principals with ank (so you can set the password):
drew@DARK.UCSD.EDU
vanilla user
drew/admin@DARK.UCSD.EDU
for access to kadmin
drew/root@DARK.UCSD.EDU
for v4 ksu
Now add host principals (with ark):
host/dark@DARK.UCSD.EDU
host/drew.extern.ucsd.edu@DARK.UCSD.EDU
host/portnoy.sdsc.edu@DARK.UCSD.EDU
Extract a v5srvtsb with:
xst host_name host
Move this to .../krb5/v5srvtab .
Add these to /etc/services:
# Real kerberos info
kerberos 88/udp kdc # Kerberos authentication--udp
kerberos 88/tcp kdc # Kerberos authentication--tcp
kerberos5 88/udp kdc # Kerberos authentication--udp
kerberos5 88/tcp kdc # Kerberos authentication--tcp
klogin 543/tcp # Kerberos authenticated rlogin
kshell 544/tcp cmd # and remote shell
kerberos-adm 749/tcp # Kerberos 5 admin/changepw
kerberos-adm 749/udp # Kerberos 5 admin/changepw
kerberos4 750/udp # Kerberos authentication--udp
kerberos4 750/tcp # Kerberos authentication--tcp
kerberos-sec 750/udp # Kerberos authentication--udp
kerberos-sec 750/tcp # Kerberos authentication--tcp
kerberos_master 751/udp # Kerberos authentication
kerberos_master 751/tcp # Kerberos authentication
krb_prop 754/tcp # Kerberos slave propagation
kftp 765/tcp # Kerberos ftp
kpop 1109/tcp # Pop with Kerberos
eklogin 2105/tcp # Kerberos encrypted rlogin
ekshell 2106/tcp # Kerberos encrypted rsh
#
Now start the kdc: .../krb5/sbin/krb5kdc &
Try kinit, klist, and kdestroy - they should all work at this point.
Next start kadmind as with kdc . Now kadmin and kpasswd should work...
Add the following file:
.../krb5/admin_acl_file:
# Administrator Access Control List
# Format:
# Name Privileges Comments
# Where Privileges is a string containing one or more of
# "a" Add New Principals
# "c" Change Passwords
# "d" Delete Current Principals
# "i" Inquire About Existing Principals
# "m" Modify Existing Principals
# "*" All Privileges
#jqsample/admin@realm *
#tomjones/admin@realm acim # Note - May Not Delete
drew/admin@DARK.UCSD.EDU *
Change the last line to your admin principal. Now try kadmin...
Add this to /etc/inetd.conf :
# kerberos
klogin stream tcp nowait root /krb5/sbin/krlogind Klogind
eklogin stream tcp nowait root /krb5/sbin/krlogind eKlogind
kshell stream tcp nowait root /krb5/sbin/krshd Kshd
kill -HUP inetd . Now add a ~/.k5login with your principal in
it,e.g.
drew@DARK.UCSD.EDU
Now you should be able to rlogin, rsh and rcp to yourself.
Now you need to make a host/?@R prin. for anyother host you want to
speak kerberos with and xst that into a v5srvtab for that host.
=========================================================================
My principal list:
Default:
entry: K/M@DREW
entry: krbtgt/DREW@DREW
Interrealm: (need same password and vno on both servers)
entry: krbtgt/DREW@RCS.COM
entry: krbtgt/RCS.COM@DREW
K4:
entry: changepw/kerberos@DREW
Services:
entry: kadmin/DREW@DREW
Host services:
entry: kftp/drew.sdsc.edu@DREW
entry: kftp/dark@DREW
entry: kftp/portnoy.sdsc.edu@DREW
entry: pop/drew.sdsc.edu@DREW
entry: pop/dark@DREW
Host entries:
entry: host/dark@DREW
entry: host/portnoy.sdsc.edu@DREW
entry: host/drew.sdsc.edu@DREW
entry: host/drew.extern.ucsd.edu@DREW
Me:
entry: drew@DREW
entry: drew/admin@DREW
entry: drew/root@DREW
entry: grossa@DREW
Other users:
entry: moreland@DREW
entry: okumoto@DREW
=========================================================================
