[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Incomplete documentation



On Thu, 18 Sep 2003, Love wrote:

>
> Martin MOKREJ? <mmokrejs@natur.cuni.cz> writes:
>
> > So, how am I supposed to configure heimdal whe want to use AFS? With or
> > without --with-krb4. How about the --enable-kaserver option. As I do not
> > need to convert from krb4 to krb5 type databse, I can omit
> > --enable-kaserver-db, right?
>
> --enable-kaserver requires krb4 libs, so for that you'll need a working
>   krb4 are you still using a kaserver/kaserver emulation ?

Yes, I do have set KDC to be in kaserver emulation, actually I'm not sure
if I need to... :( Passwords are in heimdal database and as long as user
get AFS tokens I'm find with removing that option. Explanation?


> --enable-kaserver-db is just for dumping a kaserver krb4 database. If you
>   are no longer running a kaserver, you don't need it.

OK, this I guessed I don't need. Could the docs be written more for
dummies? ;)


> > The docs at http://www.pdc.kth.se/heimdal/heimdal.html are really
> > insufficient. For example, on slaves, am I supposed "kdc -s"?
> > It says only about hpropd. With krb4, we used to run "kerberos -s" on
> > slaves ...
>
> There is no -s (slave flag) for heimdal kdc. The old "kerberos" v4 kdc used
> to look at the data and if it was "old" refused to serve any of the data.

OK, so on Heimdal slaves should run kdc without any special arguments?


> > Another question, how is the database on slaves encrypted? Does it use
> > the master key from master KDC? I guess not. So where is the master key
> > used on slaves?Is that the hprop/host key?
>
> Its encrypted with the master key in /var/heimdal/m-key, the
> hprop/`hostname` keys are just for authentication and transport encryption
> when dumping the database.


That was my impression, but I did not generate any /var/heimdal/m-key on
machines acting as slaves ... I did not have to do this step to start
hpropd ... so is the database unencrypted? The web documentation(URL below)
doesn't say anything about generating another master key (this time on slaves).


> > http://www.pdc.kth.se/heimdal/heimdal.html#Slave%20Servers contains a typo:
> > "Every slave needs a keytab with a principal, hprop/hostname. Add that with
> > the ktutil command and start propd, as follows:
> >
> > slave# ktutil get -p foo/admin host/`hostname`
> > slave# hpropd
> > "
> >
> > I believe there should be in example:
> >
> > slave# ktutil get -p foo/admin hprop/`hostname`
> > slave# hpropd
>
> This is fixed in the info documentation, just not propagated to the
> webpage.

What a pity. I never got user to use info(1) program, I prefer html
although you say "bad html rendition". ;)

-- 
Martin Mokrejs <mmokrejs@natur.cuni.cz>, <m.mokrejs@gsf.de>
PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs
MIPS / Institute for Bioinformatics <http://mips.gsf.de>
GSF - National Research Center for Environment and Health
Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany
tel.: +49-89-3187 3683 , fax: +49-89-3187 3585