[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Kerberos5 slave from Kerberos4 master.
Mark Hindess <ccsmrh@bath.ac.uk> writes:
> The documentation for heimdal states that it is possible to set up a
> kerberos5 slave from a Kerberos5 master.
I assume you are interested in the 4 -> 5 case (as the subject
suggests). 5 -> 5 isn't very documented either, but follows the same
basic rules as 4 -> 5 (there is only a difference at the client side).
> Can anyone give me any hints as to how to get such a setup to work?
If you compile with krb4 support, hprop will be able to dump a
kerberos 4 database in a hpropd compatible format.
The simplest invocation is somethig like:
hprop -4 heimdal-kdc-host
which tries to propagate a kerberos 4 database to the slave
kdc-host. You might want to encrypt the keys in the database before
sending them across the network, and then you need the `-E' and
possibly the `-m' flags. Note that hprop operates on the database
itself, and not on an ascii-dump.
Really very simple.
What isn't so simple is setting up rules to properly convert Kerberos
4 to Kerberos 5 principals. I tend to use something like this in
/etc/krb5.conf:
[libdefaults]
v4_instance_resolve = yes
[realms]
WHAT.EVER = {
v4_name_convert = {
host = {
amanda = amanda
chpass = chpass
ftp = ftp
hardmon = hardmon
hprop = hprop
pop = pop
rcmd = host
rvdsrv = rvdsrv
cvs = cvs
}
}
v4_instance_convert = {
# Put special cases here that aren't easily
# covered by other rules. For instance if you
# have a machine that lives in some other
# domain than those covered by the nameserver
# lookup. You probably also want something
# like:
kerberos = kerberos
# to cover for the special case rcmd.kerberos
# (even if that principal isn't used by
# Heimdal).
}
}
This should give you some idea at least. You should get some log
entries at the client side for principals that hprop couldn't convert,
and at the server side for any duplicates received (for instance if
you have two host principals, where one of the host names is a CNAME
for the other). We hope to provide some more doumentation in the
future, and also some sane defaults, especially for v4_name_convert.
/Johan