[LON-CAPA-admin] kerberos
lucasm at ohiou.edu
lucasm at ohiou.edu
Wed Jun 9 18:09:18 EDT 2004
Nathan,
I'm afraid it's one of those things where I set it up long ago, and it
seems to keep working! Let me see what I can summarize:
After a little experimentation what I see is the following:
My /etc/krb5.conf file looks like this:
----------------------------------------------------------------------------
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = oak_cell
default_tgs_enctypes = des-cbc-crc
default_tkt_enctypes = des-cbc-crc
ticket_lifetime = 600
[realms]
oak_cell = {
kdc = ash.cats.ohiou.edu:88
kdc = catawba.cats.ohiou.edu:88
}
[domain_realm]
.ohiou.edu = oak_cell
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = true
}
-------------------------------------------------------------------
The real meet is in the realms and domain_realm. The latter says that
any machine in the IP domain .ohiou.edu should authenticate against the
kerberos realm oak_cell.
As soon as I modify this file, it seems to take hold. I removed a portion,
tried logging in, and it didn't work. Fixed it, and it worked. The
kerberos library seems to check this file dynamically.
With the proper file in place, you can check it by using kinit:
[root at capa2 etc]# kinit lucasm
Password for lucasm at oak_cell:
[root at capa2 etc]#
The above means it successfully garnered a ticket from the server.
[root at capa2 etc]# kinit lucasm
Password for lucasm at oak_cell:
kinit(v5): Password incorrect while getting initial credentials
[root at capa2 etc]#
The above means I typed gibberish and failed to get a ticket (or something
was not set up properly).
As soon as it passes this test, you can change a user's authentication in
LON-CAPA to use kerberos 5 and enter the realm appropropriately.
It should work with out restarting anything as far as I know.
The kerberos services (krdc, krb5, ...) do not need to be running.
Let me know how it turns out!
Mark
On Wed, 9 Jun 2004, Nathan Schoenack wrote:
> Guy (and all),
>
> Mark has been helping me along.
>
> It is version 1.2.7 of kerberos 5.
> The realm is "NDSU.NODAK.EDU".
> And I have the addresses (and port) of the kerberos servers.
>
> Now I need to know which files to edit, which daemons to restart, etc...
>
> Nathan Schoenack
> Lab Technician
> Physics Department
> North Dakota State University
> South Engineering 220D
> (701) 231-7047
>
> _______________________________________________
> LON-CAPA-admin mailing list
> LON-CAPA-admin at mail.lon-capa.org
> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin
>
----------------------------------------------------------------------------
Mark Lucas email: lucasm at ohiou.edu
252D Clippinger Lab phone: (740)597-2984
Department of Physics and Astronomy fax: (740)593-0433
Ohio University
Athens, OH 45701
More information about the LON-CAPA-admin
mailing list