doc-heimdal-conversion-howto-20011224

short explanation of how to convert from a kaserver to a heimdal kdc
including setting up iprop
This commit is contained in:
Derrick Brashear 2001-12-24 21:19:07 +00:00
parent ddaf08d4b8
commit 4e02670a22

132
doc/txt/ka2heim.txt Normal file
View File

@ -0,0 +1,132 @@
-Build heimdal. Include --enable-kaserver and --enable-kaserver-db when you configure. You also need kth-krb installed and --with-krb4 turned on for maximum utility.
-Install heimdal
-Set up /var/heimdal. You need on the master:
-A text file named slaves with e.g.:
--Begin slaves file--
iprop/full.name.of.slave1@YOUR.REALM
iprop/full.name.of.slave2@YOUR.REALM
--End slaves file--
if you had only these 2 slaves
-A text file named kadmind.acl with e.g.:
--Begin kadmind.acl file--
shadow/admin all
adm/admin all
--End kadmind.acl file--
The man page for kadmind explains the format and rights for this file.
-Set up inetd.conf or equivalent. You want at least krb5 kadmind, which is:
kerberos-adm stream tcp nowait root /usr/local/libexec/kadmind kadmind
You may also want krb4 kadmind (which also allows krb4 password clients to work):
kerberos_master stream tcp nowait root /usr/local/libexec/kadmind v4kadmind
Obviously these may vary for your particular inetd and installed paths.
-Set up your rc scripts. Your master will run e.g.:
/usr/local/libexec/kdc
/usr/local/libexec/kpasswdd
/usr/local/libexec/ipropd-master
Your slaves will run:
/usr/local/libexec/kdc
/usr/local/libexec/ipropd-slave host.name.of.master
Mine run out of the bosserver.
-Set up krb5.conf
Mine looks like:
--Beginning of krb5.conf--
[libdefaults]
default_realm = YOUR.REALM
default_tgs_enctypes = des-cbc-crc
default_tkt_enctypes = des-cbc-crc
default_etypes = des-cbc-crc
default_etypes_des = des-cbc-crc
clockskew = 300
checksum_type = 1
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
imap = imap
smtp = smtp
lmtp = lmtp
ldap = ldap
acap = acap
}
}
[realms]
YOUR.REALM = {
kdc = host.name.of.master
kdc = host.name.of.slave1
kdc = host.name.of.slave2
admin_server = host.name.of.master
default_domain = my.domain
v4_domains = my.domain subdomain.my.domain other.domain.using.my.realm
}
[domain_realm]
.my.domain = YOUR.REALM
.subdomain.my.domain = YOUR.REALM
.other.domain.using.my.realm = YOUR.REALM
[logging]
default = SYSLOG:NOTICE:DAEMON
kdc = FILE:/var/heimdal/kdc.log
admin_server = FILE:/var/heimdal/kadm5.log
[kdc]
enable-kerberos4 = true
enable-kaserver = true
enable-524 = true
[kadmin]
default_keys = v4 v5
--End of krb5.conf--
Note that I make kadmin create v4 and v5 but no afs keys. This is deliberate. AFS can deal with v4 keys and that has been so since around AFS 3.1b. You don't need afs keys for anything other than kas and AFS kpasswd, and you're done with those now. the v4_domains and domain_realm section are to ease your burden if you support a realm which spans multiple dns domains, and may not apply to you.
-Create a master key on your master and slaves:
# kstash
Master key:
Verifying password - Master key:
-Create a krb5 database
# kadmin -l
init YOUR.REALM
Realm max ticket life [unlimited]:
Realm max renewable ticket life [unlimited]:
The questions are a matter of policy. You have to decide what's appropriate.
-Copy the database
# hprop --source=kaserver -c your.cell -r YOUR.REALM -R YOUR.REALM -n|hpropd -n
-Create the other keys you need on the master using kadmin -l:
On your master you will need in /etc/krb5.keytab all of the following:
iprop/host.name.of.master@YOUR.REALM
kadmin/hprop@YOUR.REALM
kadmin/admin@YOUR.REALM
kadmin/changepw@YOUR.REALM
and if you use v4kadmind,
changepw/kerberos@YOUR.REALM
Create using ank -r, then use ext_keytab to get them in your keytab.
-Start your kdc, and make sure kadmind is running, at least
-On your slaves you will need only
iprop/host.name.of.this.slave@YOUR.REALM
You can now run kadmin -p some/admin if that admin is in kadmind.acl on the master, and use ank -r and ext_keytab to do this step.
-Now, you can enable the master and slave ipropds. Run a client against a slave kdc and/or read the logs. Hopefully you're in business.
-Enable kpasswdd on the master. You should now be done.