[4695] in Kerberos
Re: Kerberos 5 install doc, is this what you mean
daemon@ATHENA.MIT.EDU (Lenny Miceli)
Tue Feb 28 17:07:20 1995
Date: Tue, 28 Feb 1995 15:53:56 -0500 (EST)
From: Lenny Miceli <TKSLEN@ubvms.cc.buffalo.edu>
To: kerberos@MIT.EDU
Cc: TKSLEN@ubvms.cc.buffalo.edu
Is what you wanted below (following my sig). I found this while browsing
through the old archives. I left the original poster's name in it to give
him the credit, he deserves it.
I will also put this document and other documents that I find helpful at my
site for anon FTP. FTP to ubvms.cc.buffalo.edu or ubvmsb.cc.buffalo.edu,
cd [.kerberos.install_info], and this file is called INSTALL_NOTES.TXT.
This is all I have at the moment but I will begin putting stuff under the
pertinent subdirectories of [.kerberos]. I was selected to be the kerberos
administrator at my site so I am going through this learning curve like
everyone else. I will try and be one of the one's that will disperse this
"impossible to find information" %-), hey someone has to do it. If anyone
wants their information kept at my site feel free to send it to me.
Lenny Miceli - Consultant, Systems Analyst University at Buffalo
Technical Services, Computing & Information Technology 235 Computing Center
716-645-3565 Phone / 716-645-3734 FAX Buffalo, NY 14260-1408
Mail: tkslen@ubvms.cc.buffalo.edu or tkslen@ubvms.bitnet
WWW: http://ubvms.cc.buffalo.edu/~tkslen/index.html
Kerberos 5 - what to do after you install
daemon@ATHENA.MIT.EDU (Sat Dec 17 1994 06:31:31)
Date: Sat, 17 Dec 94 03:25:07 -0800
From: Andrew Gross <drew@drew.sdsc.edu>
To: kerberos@MIT.EDU
Hello,
Hobbit has encouraged me to offer these instructions. They come
from the K4 setup instructions, from looking at code, and from notes
on this mailing list.
These are not the most clear instructions. They are terse and are
no help if something is not working. If there are comments/edits
to make these more useful to the public at large, I'll try to add them
in my copious free time.
Enjoy,
Andrew Gross
=========================================================================
From: grossa@sdsc.edu
> Can you send me the krb set up info?
Ok, first...
In .../krb5/admin
./krb5_create
Give it the master kerberos password
./krb5_stash
Give it the master kerberos password
./kdb5_edit
ldb
You should see something like:
(Replace DARK.UCSD.EDU with your realm)
entry: K/M@DARK.UCSD.EDU
entry: krbtgt/DARK.UCSD.EDU@DARK.UCSD.EDU
These are the kerberos master and tgt service (clearly).
Now add following principals with ark (random key since services):
kadmin/DARK.UCSD.EDU@DARK.UCSD.EDU
for kadmin and kpasswd
Now add user principals with ank (so you can set the password):
drew@DARK.UCSD.EDU
vanilla user
drew/admin@DARK.UCSD.EDU
for access to kadmin
drew/root@DARK.UCSD.EDU
for v4 ksu
Now add host principals (with ark):
host/dark@DARK.UCSD.EDU
host/drew.extern.ucsd.edu@DARK.UCSD.EDU
host/portnoy.sdsc.edu@DARK.UCSD.EDU
Extract a v5srvtsb with:
xst host_name host
Move this to .../krb5/v5srvtab .
Add these to /etc/services:
# Real kerberos info
kerberos 88/udp kdc # Kerberos authentication--udp
kerberos 88/tcp kdc # Kerberos authentication--tcp
kerberos5 88/udp kdc # Kerberos authentication--udp
kerberos5 88/tcp kdc # Kerberos authentication--tcp
klogin 543/tcp # Kerberos authenticated rlogin
kshell 544/tcp cmd # and remote shell
kerberos-adm 749/tcp # Kerberos 5 admin/changepw
kerberos-adm 749/udp # Kerberos 5 admin/changepw
kerberos4 750/udp # Kerberos authentication--udp
kerberos4 750/tcp # Kerberos authentication--tcp
kerberos-sec 750/udp # Kerberos authentication--udp
kerberos-sec 750/tcp # Kerberos authentication--tcp
kerberos_master 751/udp # Kerberos authentication
kerberos_master 751/tcp # Kerberos authentication
krb_prop 754/tcp # Kerberos slave propagation
kftp 765/tcp # Kerberos ftp
kpop 1109/tcp # Pop with Kerberos
eklogin 2105/tcp # Kerberos encrypted rlogin
ekshell 2106/tcp # Kerberos encrypted rsh
#
Now start the kdc: .../krb5/sbin/krb5kdc &
Try kinit, klist, and kdestroy - they should all work at this point.
Next start kadmind as with kdc . Now kadmin and kpasswd should work...
Add the following file:
.../krb5/admin_acl_file:
# Administrator Access Control List
# Format:
# Name Privileges Comments
# Where Privileges is a string containing one or more of
# "a" Add New Principals
# "c" Change Passwords
# "d" Delete Current Principals
# "i" Inquire About Existing Principals
# "m" Modify Existing Principals
# "*" All Privileges
#jqsample/admin@realm *
#tomjones/admin@realm acim # Note - May Not Delete
drew/admin@DARK.UCSD.EDU *
Change the last line to your admin principal. Now try kadmin...
Add this to /etc/inetd.conf :
# kerberos
klogin stream tcp nowait root /krb5/sbin/krlogind Klogind
eklogin stream tcp nowait root /krb5/sbin/krlogind eKlogind
kshell stream tcp nowait root /krb5/sbin/krshd Kshd
kill -HUP inetd . Now add a ~/.k5login with your principal in
it,e.g.
drew@DARK.UCSD.EDU
Now you should be able to rlogin, rsh and rcp to yourself.
Now you need to make a host/?@R prin. for anyother host you want to
speak kerberos with and xst that into a v5srvtab for that host.
=========================================================================
My principal list:
Default:
entry: K/M@DREW
entry: krbtgt/DREW@DREW
Interrealm: (need same password and vno on both servers)
entry: krbtgt/DREW@RCS.COM
entry: krbtgt/RCS.COM@DREW
K4:
entry: changepw/kerberos@DREW
Services:
entry: kadmin/DREW@DREW
Host services:
entry: kftp/drew.sdsc.edu@DREW
entry: kftp/dark@DREW
entry: kftp/portnoy.sdsc.edu@DREW
entry: pop/drew.sdsc.edu@DREW
entry: pop/dark@DREW
Host entries:
entry: host/dark@DREW
entry: host/portnoy.sdsc.edu@DREW
entry: host/drew.sdsc.edu@DREW
entry: host/drew.extern.ucsd.edu@DREW
Me:
entry: drew@DREW
entry: drew/admin@DREW
entry: drew/root@DREW
entry: grossa@DREW
Other users:
entry: moreland@DREW
entry: okumoto@DREW
=========================================================================
