[LON-CAPA-admin] kerberos

lucasm at ohiou.edu lucasm at ohiou.edu
Wed Jun 9 18:09:18 EDT 2004 

Nathan,

I'm afraid it's one of those things where I set it up long ago, and it 
seems to keep working! Let me see what I can summarize:

After a little experimentation what I see is the following:

My /etc/krb5.conf file looks like this:

----------------------------------------------------------------------------
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
        default_realm = oak_cell
        default_tgs_enctypes = des-cbc-crc
        default_tkt_enctypes = des-cbc-crc
        ticket_lifetime = 600

[realms]
        oak_cell = {
                kdc = ash.cats.ohiou.edu:88
                kdc = catawba.cats.ohiou.edu:88
        }

[domain_realm]
        .ohiou.edu = oak_cell

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = true
 }
-------------------------------------------------------------------
The real meet is in the realms and domain_realm. The latter says that
any machine in the IP domain .ohiou.edu should authenticate against the 
kerberos realm oak_cell.

As soon as I modify this file, it seems to take hold. I removed a portion, 
tried logging in, and it didn't work. Fixed it, and it worked. The 
kerberos library seems to check this file dynamically.

With the proper file in place, you can check it by using kinit:

[root at capa2 etc]# kinit lucasm
Password for lucasm at oak_cell:
[root at capa2 etc]#

The above means it successfully garnered a ticket from the server.

[root at capa2 etc]# kinit lucasm
Password for lucasm at oak_cell:
kinit(v5): Password incorrect while getting initial credentials
[root at capa2 etc]#

The above means I typed gibberish and failed to get a ticket (or something 
was not set up properly).

As soon as it passes this test, you can change a user's authentication in 
LON-CAPA to use kerberos 5 and enter the realm appropropriately.
It should work with out restarting anything as far as I know.

The kerberos services (krdc, krb5, ...) do not need to be running.

Let me know how it turns out!

Mark

 
On Wed, 9 Jun 2004, Nathan Schoenack wrote:

> Guy (and all),
> 
> Mark has been helping me along.
> 
> It is version 1.2.7 of kerberos 5.
> The realm is "NDSU.NODAK.EDU".
> And I have the addresses (and port) of the kerberos servers.  
> 
> Now I need to know which files to edit, which daemons to restart, etc...
> 
> Nathan Schoenack	
> Lab Technician
> Physics Department 
> North Dakota State University
> South Engineering 220D
> (701) 231-7047
>  
> _______________________________________________
> LON-CAPA-admin mailing list
> LON-CAPA-admin at mail.lon-capa.org
> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin
> 

----------------------------------------------------------------------------
Mark Lucas					email: lucasm at ohiou.edu
252D Clippinger Lab  				phone: (740)597-2984
Department of Physics and Astronomy             fax:   (740)593-0433
Ohio University
Athens, OH 45701

More information about the LON-CAPA-admin mailing list