[7711] in Kerberos
Re: Seeding V5 principal database
daemon@ATHENA.MIT.EDU (Jim Garlick)
Fri Aug 2 20:09:12 1996
To: kerberos@MIT.EDU
Date: 2 Aug 1996 23:27:27 GMT
From: garlick@ecst.csuchico.edu (Jim Garlick)
In article <4tt6su$1ac@nuacht.iol.ie>, Ronan Mullally <ronan@iol.ie> wrote:
>We'd like to move our authentication system over to kerberos. We've
>got a mixed environment of Solaris / IRIX / Linux servers which we hope
>to make kerberos-aware for services like telnet, ftp, POP, radius and
>WWW. We're currently using ol' fashioned /etc/{passwd,shadow}.
>
>However... How do we go about setting up the principal database?
>From what I can gather we'd need clear-text passwords for every one
>of our users (>> 15,000 people), which is not practical. Is there
>any means of importing /etc/shadow to initialise the database?
We have the same problem and our solution was to build a version of
login.krb5 that calls kadmin5 functions to add a principal if the person
passes /etc/shadow but doesn't have a principal. The idea is that after
everyone has been through login.krb5 at least once, you get rid of the
encrypted passwords and authenticate through kerberos exclusively.
I had login.krb5 use the v5srvtab host principal and then I grant add
rights to host/*@MY.REALM in my kadmind5 ACL file.
I can share my Makefiles and diffs, but I'm not sure how painful they
will be for someone other than me to look at. Actually, I know they were
somewhat painful but usable for a colleague of mine, but your mileage may vary.
Jim Garlick
College of Engineering
CSU Chico
