[7453] in Kerberos
Re: DCE and terminal servers
daemon@ATHENA.MIT.EDU (Michael Helm)
Tue Jun 11 03:40:44 1996
To: kerberos@MIT.EDU
Date: 10 Jun 1996 21:30:04 GMT
From: mike@fionn.lbl.gov (Michael Helm)
Reply-To: mike@fionn.lbl.gov (Michael Helm)
cc@austin.ibm.com writes:
>I have been able to authenticate our Xyplex terminal server off of an
>IBM DCE 2.1 Registry. The details were posted by Jeff Earickson to
Jist in time for summer rerun:
From: Jeff Earickson <jaearick@colby.edu>
Newsgroups: comp.soft-sys.dce
Subject: ** How to get Xyplex termservers to speak DCE **
Date: Mon, 20 Nov 1995 11:12:39 -0500
Organization: Colby College, Waterville ME 04901
Message-ID: <Pine.HPP.3.91.951120110948.6827D-100000@jaearick2.offices.computer-services.colby.edu>
*** How to Configure your Xyplex Terminal Server, ***
*** to talk to your DCE cell ***
*** for Authentication of Users. ***
Xyplex terminal servers have the feature that they can authenticate
users in a Kerberos 5 realm. I wanted my Xyplex boxes to authenticate
users in my DCE cell, and how to set this up was not documented anywhere.
With the kind help of Jim Christenson (3M Information Technologies), and
some basic pointers from Xyplex, I figured this out last week. Here is
how to do it:
1) Get a DCE cell up and going, as per your vendor's instructions.
For a minimal test of my Xyplex box, I set up a master DCE registry
on one UNIX box, added a couple of users to the registry, and set
passwords on the DCE accounts.
2) Make sure that your Xyplex terminal server is running the latest
version of the Xyplex software, and that Kerberos 5 is enabled on it.
Login to the Xyplex and type "show server kerberos". The Xyplex
software version number is on the top line of output; it should be
version 6.0 or later. If the software is out of date, upgrade it.
If you don't see "Kerberos 5" from this output, do the following:
def server kerberos 5 enabled
init d 1 <---reboot the xyplex box
Rebooting the box will disconnect anybody else logged in thru it...
3) Enter the following commands on your Xyplex terminal server to set
it up for Kerberos/DCE usage:
show server kerberos
set priv
(enter password)
def server kerberos security login
set server kerberos security login
def server kerberos realm "xyplex.com"
set server kerberos realm "xyplex.com"
def server kerberos master 140.179.254.150
set server kerberos master 140.179.254.150
def server kerberos primary server 140.179.254.150
set server kerberos primary server 140.179.254.150
def server kerberos secondary server 140.179.254.155
set server kerberos secondary server 140.179.254.155
show server kerberos
Some things to note here:
* The name of your DCE cell is what you enter for the name of
the Kerberos realm. CASE IS IMPORTANT!! Since DCE cells
are usually in lowercase, surround the name in quotes to
prevent the Xyplex from promoting it to upper case. If you
have the wrong case then nothing works. (Thanks to Jim Christenson
of 3M Information Technologies for pointing this out.)
* The name or IP number of the Kerberos master and primary server
is the system where your DCE master security registry lives.
* The name or IP number of the secondary server can point to a
DCE replica server.
4) Configure a port on your Xyplex for Kerberos, in order to test the
interaction of the Xyplex box with your DCE cell. In this example, I
used port 18 as my test port:
show port 18
def port 18 kerberos enabled
set port 18 kerberos enabled
show port 18
show server kerberos
In the output of the final "show server kerberos" you should note that port
18 is listed as enabled for Kerberos.
Before you enable all ports on the Xyplex for Kerberos, you are wise to
only enable one port and test things first. If you enable port 0 for
Kerberos and things aren't working right then you may not be able to
get logged back into the terminal server to fix the problem.
5) Hook a dumb terminal to your test port. I used a DCE vt220 terminal.
Insure that your terminal speed matches the port speed (or vice versa).
Since my vt220 only goes at 19200 baud, I had to:
set port 18 speed 19200
def port 18 speed 19200
on the Xyplex to get a proper connection.
6) Once you get a prompt on the terminal, try logging on. The Xyplex
should accept logins for valid DCE accounts, and reject others. While
testing your terminal logins, watch the syslogd output on your DCE security
server (you may have to run secd in verbose mode). You should see
Authentication Service (AS) log messages from secd. Secd should note
that unknown principals tried to contact it when you enter in a userid
not contained in the DCE registry.
7) At this point, your Xyplex terminal server should be properly authenticating
users listed in your DCE registry. Enable the other ports of your Xyplex
for Kerberos, as was done in step 4 above. Hopefully, live happily ever after.
** Jeff A. Earickson, Ph.D PHONE: 207-872-3659
** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu
** Colby College, 4214 Mayflower Hill, FAX: 207-872-3555
** Waterville ME, 04901-8842
