[prev in list] [next in list] [prev in thread] [next in thread] 

List:       lon-capa-admin
Subject:    Re: [LON-CAPA-admin] kerberos
From:       lucasm () ohiou ! edu
Date:       2004-06-09 22:09:18
Message-ID: Pine.LNX.4.44.0406091749340.17450-100000 () lucas ! phy ! ohiou ! edu
[Download RAW message or body]

Nathan,

I'm afraid it's one of those things where I set it up long ago, and it 
seems to keep working! Let me see what I can summarize:

After a little experimentation what I see is the following:

My /etc/krb5.conf file looks like this:

----------------------------------------------------------------------------
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
        default_realm = oak_cell
        default_tgs_enctypes = des-cbc-crc
        default_tkt_enctypes = des-cbc-crc
        ticket_lifetime = 600

[realms]
        oak_cell = {
                kdc = ash.cats.ohiou.edu:88
                kdc = catawba.cats.ohiou.edu:88
        }

[domain_realm]
        .ohiou.edu = oak_cell

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = true
 }
-------------------------------------------------------------------
The real meet is in the realms and domain_realm. The latter says that
any machine in the IP domain .ohiou.edu should authenticate against the 
kerberos realm oak_cell.

As soon as I modify this file, it seems to take hold. I removed a portion, 
tried logging in, and it didn't work. Fixed it, and it worked. The 
kerberos library seems to check this file dynamically.

With the proper file in place, you can check it by using kinit:

[root@capa2 etc]# kinit lucasm
Password for lucasm@oak_cell:
[root@capa2 etc]#

The above means it successfully garnered a ticket from the server.

[root@capa2 etc]# kinit lucasm
Password for lucasm@oak_cell:
kinit(v5): Password incorrect while getting initial credentials
[root@capa2 etc]#

The above means I typed gibberish and failed to get a ticket (or something 
was not set up properly).

As soon as it passes this test, you can change a user's authentication in 
LON-CAPA to use kerberos 5 and enter the realm appropropriately.
It should work with out restarting anything as far as I know.

The kerberos services (krdc, krb5, ...) do not need to be running.

Let me know how it turns out!

Mark

 
On Wed, 9 Jun 2004, Nathan Schoenack wrote:

> Guy (and all),
> 
> Mark has been helping me along.
> 
> It is version 1.2.7 of kerberos 5.
> The realm is "NDSU.NODAK.EDU".
> And I have the addresses (and port) of the kerberos servers.  
> 
> Now I need to know which files to edit, which daemons to restart, etc...
> 
> Nathan Schoenack	
> Lab Technician
> Physics Department 
> North Dakota State University
> South Engineering 220D
> (701) 231-7047
>  
> _______________________________________________
> LON-CAPA-admin mailing list
> LON-CAPA-admin@mail.lon-capa.org
> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin
> 

----------------------------------------------------------------------------
Mark Lucas					email: lucasm@ohiou.edu
252D Clippinger Lab  				phone: (740)597-2984
Department of Physics and Astronomy             fax:   (740)593-0433
Ohio University
Athens, OH 45701


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic