mirror of
https://git.openafs.org/openafs.git
synced 2025-01-22 17:00:15 +00:00
4e02670a22
short explanation of how to convert from a kaserver to a heimdal kdc including setting up iprop
132 lines
4.1 KiB
Plaintext
132 lines
4.1 KiB
Plaintext
-Build heimdal. Include --enable-kaserver and --enable-kaserver-db when you configure. You also need kth-krb installed and --with-krb4 turned on for maximum utility.
|
|
|
|
-Install heimdal
|
|
|
|
-Set up /var/heimdal. You need on the master:
|
|
-A text file named slaves with e.g.:
|
|
--Begin slaves file--
|
|
iprop/full.name.of.slave1@YOUR.REALM
|
|
iprop/full.name.of.slave2@YOUR.REALM
|
|
--End slaves file--
|
|
if you had only these 2 slaves
|
|
|
|
-A text file named kadmind.acl with e.g.:
|
|
--Begin kadmind.acl file--
|
|
shadow/admin all
|
|
adm/admin all
|
|
--End kadmind.acl file--
|
|
The man page for kadmind explains the format and rights for this file.
|
|
|
|
-Set up inetd.conf or equivalent. You want at least krb5 kadmind, which is:
|
|
kerberos-adm stream tcp nowait root /usr/local/libexec/kadmind kadmind
|
|
You may also want krb4 kadmind (which also allows krb4 password clients to work):
|
|
kerberos_master stream tcp nowait root /usr/local/libexec/kadmind v4kadmind
|
|
|
|
Obviously these may vary for your particular inetd and installed paths.
|
|
|
|
-Set up your rc scripts. Your master will run e.g.:
|
|
/usr/local/libexec/kdc
|
|
/usr/local/libexec/kpasswdd
|
|
/usr/local/libexec/ipropd-master
|
|
|
|
Your slaves will run:
|
|
/usr/local/libexec/kdc
|
|
/usr/local/libexec/ipropd-slave host.name.of.master
|
|
|
|
Mine run out of the bosserver.
|
|
|
|
-Set up krb5.conf
|
|
Mine looks like:
|
|
--Beginning of krb5.conf--
|
|
[libdefaults]
|
|
default_realm = YOUR.REALM
|
|
default_tgs_enctypes = des-cbc-crc
|
|
default_tkt_enctypes = des-cbc-crc
|
|
default_etypes = des-cbc-crc
|
|
default_etypes_des = des-cbc-crc
|
|
clockskew = 300
|
|
checksum_type = 1
|
|
v4_instance_resolve = false
|
|
v4_name_convert = {
|
|
host = {
|
|
rcmd = host
|
|
ftp = ftp
|
|
imap = imap
|
|
smtp = smtp
|
|
lmtp = lmtp
|
|
ldap = ldap
|
|
acap = acap
|
|
}
|
|
}
|
|
|
|
[realms]
|
|
YOUR.REALM = {
|
|
kdc = host.name.of.master
|
|
kdc = host.name.of.slave1
|
|
kdc = host.name.of.slave2
|
|
admin_server = host.name.of.master
|
|
default_domain = my.domain
|
|
v4_domains = my.domain subdomain.my.domain other.domain.using.my.realm
|
|
}
|
|
|
|
[domain_realm]
|
|
.my.domain = YOUR.REALM
|
|
.subdomain.my.domain = YOUR.REALM
|
|
.other.domain.using.my.realm = YOUR.REALM
|
|
|
|
[logging]
|
|
default = SYSLOG:NOTICE:DAEMON
|
|
kdc = FILE:/var/heimdal/kdc.log
|
|
admin_server = FILE:/var/heimdal/kadm5.log
|
|
|
|
[kdc]
|
|
enable-kerberos4 = true
|
|
enable-kaserver = true
|
|
enable-524 = true
|
|
|
|
[kadmin]
|
|
default_keys = v4 v5
|
|
--End of krb5.conf--
|
|
Note that I make kadmin create v4 and v5 but no afs keys. This is deliberate. AFS can deal with v4 keys and that has been so since around AFS 3.1b. You don't need afs keys for anything other than kas and AFS kpasswd, and you're done with those now. the v4_domains and domain_realm section are to ease your burden if you support a realm which spans multiple dns domains, and may not apply to you.
|
|
|
|
-Create a master key on your master and slaves:
|
|
# kstash
|
|
Master key:
|
|
Verifying password - Master key:
|
|
|
|
-Create a krb5 database
|
|
# kadmin -l
|
|
init YOUR.REALM
|
|
Realm max ticket life [unlimited]:
|
|
Realm max renewable ticket life [unlimited]:
|
|
The questions are a matter of policy. You have to decide what's appropriate.
|
|
|
|
-Copy the database
|
|
# hprop --source=kaserver -c your.cell -r YOUR.REALM -R YOUR.REALM -n|hpropd -n
|
|
|
|
-Create the other keys you need on the master using kadmin -l:
|
|
On your master you will need in /etc/krb5.keytab all of the following:
|
|
iprop/host.name.of.master@YOUR.REALM
|
|
kadmin/hprop@YOUR.REALM
|
|
kadmin/admin@YOUR.REALM
|
|
kadmin/changepw@YOUR.REALM
|
|
and if you use v4kadmind,
|
|
changepw/kerberos@YOUR.REALM
|
|
|
|
Create using ank -r, then use ext_keytab to get them in your keytab.
|
|
|
|
-Start your kdc, and make sure kadmind is running, at least
|
|
|
|
-On your slaves you will need only
|
|
iprop/host.name.of.this.slave@YOUR.REALM
|
|
|
|
You can now run kadmin -p some/admin if that admin is in kadmind.acl on the master, and use ank -r and ext_keytab to do this step.
|
|
|
|
-Now, you can enable the master and slave ipropds. Run a client against a slave kdc and/or read the logs. Hopefully you're in business.
|
|
|
|
-Enable kpasswdd on the master. You should now be done.
|
|
|
|
|
|
|
|
|
|
|