[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: =?gb2312?B?u9i4tKO6?= Re: kerberos setup, basic questions

To: heimdal-discuss@sics.se, wangyue0921@yahoo.com.cn
Subject: Re: =?gb2312?B?u9i4tKO6?= Re: kerberos setup, basic questions
From: Harald Barth <haba@kth.se>
Date: Wed, 02 Jul 2008 11:05:49 +0200 (CEST)
Cc: lha@kth.se, commercials@gmx.net
In-Reply-To: <419629.73777.qm@web15608.mail.cnb.yahoo.com>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <7A8C773E-2AA5-4359-97F8-D98F2A9F4930@kth.se><419629.73777.qm@web15608.mail.cnb.yahoo.com>
Reply-To: heimdal-discuss@sics.se, Harald Barth <haba@kth.se>


> 1. Does this "host" is the hostname of service PC? And
> do I have to use hostname instead of the service PC's
> IP address??

The principal consits of 3 parts:

<Name> / <Instance> @ <Realm> (spaces inserted for readability)

For users <Name> obiously is the username, <Instance> is empty and
<Realm> is your Realm (obviously). Sometimes the <Instance> is used
for administrative accounts.

Example:

haba@KTH.SE
haba/admin@KTH.SE

For services (like telnet, rsh, ftp, nfs, afs) the <Name> is the service
name. telnet and rsh and ssh share the name "host" because a host
ist identified by it. <Instance> is the name of the host and <Realm>
again is as ususal.

Fictional examples:

host/loginserver.kth.se@KTH.SE
host/belgarath.lfs.org@LFS.ORG
afs/kth.se@KTH.SE

The confusing part is that all commands accept principals in short forms
where the "obvious" (default) parts are ommitted.

Example: 

kinit haba 

which means <Name> is haba, <Instance> is empty and <Realm> is default
(KTH.SE in my case).


> 2. If my hostname is kerberosA, the kerberosized
> service program is heimdal's telnetd, and my krb5.conf
> is following:
> 
> [libdefaults]
>         default_realm = WEDGIE.ORG
> 
> [realms]
>         WEDGIE.ORG = {
>                 kdc = 192.168.0.30
>                 admin_server = 192.168.0.30
>         }
> 
> [domain_realm]
>         .wedgie.org = WEDGIE.ORG
> 
> the "host" should be kerberosA  or admin_server?
> so will I input
> kadmin>add -r kerberosA/WEDGIE.ORG
> or the
> kadmin>add -r admin_server/WEDGIE.ORG

You need one for each host you want to login to.

It should be <Name>/<Instance>@<Realm> which in your case

probably is 

host/kerberosA.your.domain@WEDGIE.ORG 
host/kerberosB.your.domain@WEDGIE.ORG 
host/kerberosC.your.domain@WEDGIE.ORG 

or something like that

The Instance part must match what the IP address of the host resolves
to. For Kerberos to work, you must have a working setup of host name
resolving in both directions.

You said " kadmin>add -r ....", but it is easier to use ktutil get on
each of your hosts. It creates the principal in the KDC and makes the
corresponding /etc/krb5.keytab on the host.

Harald.

Follow-Ups:
- =?gb2312?q?=BB=D8=B8=B4=A3=BA=20Re:=20=BB=D8=B8=B4=A3=BA=20Re:=20kerberos?==?gb2312?q?=20setup,=20basic=20questions?=
  - From: =?gb2312?q?=CD=F5=ABh?= <wangyue0921@yahoo.com.cn>

References:
- Re: kerberos setup, basic questions
  - From: Love Hörnquist Åstrand <lha@kth.se>
- =?gb2312?q?=BB=D8=B8=B4=A3=BA=20Re:=20kerberos=20setup,=20basic=20questio?==?gb2312?q?ns?=
  - From: =?gb2312?q?=CD=F5=ABh?= <wangyue0921@yahoo.com.cn>

Prev by Date: =?gb2312?q?=BB=D8=B8=B4=A3=BA=20Re:=20kerberos=20setup,=20basic=20questio?==?gb2312?q?ns?=
Next by Date: =?gb2312?q?=BB=D8=B8=B4=A3=BA=20Re:=20=BB=D8=B8=B4=A3=BA=20Re:=20kerberos?==?gb2312?q?=20setup,=20basic=20questions?=
Prev by thread: =?gb2312?q?=BB=D8=B8=B4=A3=BA=20Re:=20kerberos=20setup,=20basic=20questio?==?gb2312?q?ns?=
Next by thread: =?gb2312?q?=BB=D8=B8=B4=A3=BA=20Re:=20=BB=D8=B8=B4=A3=BA=20Re:=20kerberos?==?gb2312?q?=20setup,=20basic=20questions?=
Index(es):
- Date
- Thread