[prev in list] [next in list] [prev in thread] [next in thread]
List: lon-capa-admin
Subject: Re: [LON-CAPA-admin] kerberos
From: lucasm () ohiou ! edu
Date: 2004-06-09 22:09:18
Message-ID: Pine.LNX.4.44.0406091749340.17450-100000 () lucas ! phy ! ohiou ! edu
[Download RAW message or body]
Nathan,
I'm afraid it's one of those things where I set it up long ago, and it
seems to keep working! Let me see what I can summarize:
After a little experimentation what I see is the following:
My /etc/krb5.conf file looks like this:
----------------------------------------------------------------------------
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = oak_cell
default_tgs_enctypes = des-cbc-crc
default_tkt_enctypes = des-cbc-crc
ticket_lifetime = 600
[realms]
oak_cell = {
kdc = ash.cats.ohiou.edu:88
kdc = catawba.cats.ohiou.edu:88
}
[domain_realm]
.ohiou.edu = oak_cell
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = true
}
-------------------------------------------------------------------
The real meet is in the realms and domain_realm. The latter says that
any machine in the IP domain .ohiou.edu should authenticate against the
kerberos realm oak_cell.
As soon as I modify this file, it seems to take hold. I removed a portion,
tried logging in, and it didn't work. Fixed it, and it worked. The
kerberos library seems to check this file dynamically.
With the proper file in place, you can check it by using kinit:
[root@capa2 etc]# kinit lucasm
Password for lucasm@oak_cell:
[root@capa2 etc]#
The above means it successfully garnered a ticket from the server.
[root@capa2 etc]# kinit lucasm
Password for lucasm@oak_cell:
kinit(v5): Password incorrect while getting initial credentials
[root@capa2 etc]#
The above means I typed gibberish and failed to get a ticket (or something
was not set up properly).
As soon as it passes this test, you can change a user's authentication in
LON-CAPA to use kerberos 5 and enter the realm appropropriately.
It should work with out restarting anything as far as I know.
The kerberos services (krdc, krb5, ...) do not need to be running.
Let me know how it turns out!
Mark
On Wed, 9 Jun 2004, Nathan Schoenack wrote:
> Guy (and all),
>
> Mark has been helping me along.
>
> It is version 1.2.7 of kerberos 5.
> The realm is "NDSU.NODAK.EDU".
> And I have the addresses (and port) of the kerberos servers.
>
> Now I need to know which files to edit, which daemons to restart, etc...
>
> Nathan Schoenack
> Lab Technician
> Physics Department
> North Dakota State University
> South Engineering 220D
> (701) 231-7047
>
> _______________________________________________
> LON-CAPA-admin mailing list
> LON-CAPA-admin@mail.lon-capa.org
> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin
>
----------------------------------------------------------------------------
Mark Lucas email: lucasm@ohiou.edu
252D Clippinger Lab phone: (740)597-2984
Department of Physics and Astronomy fax: (740)593-0433
Ohio University
Athens, OH 45701
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic