1# KERBEROS 5 and the Horror! Oh, the Horror! 2# 3# Patrick ("Don't go there... or carry a lute and sing very softly") Powell 4# 5# OK, if you are reading this, you are tough enough to take it. 6# 7# Get the latest version of kerberos 8# 9# http://web.mit.edu/kerberos/www/ 10# and follow links. 11# 12# Compile/Install kerberos 13# - this is for 1.2.4, but should be same 14# 15# tar xf krb5-1.2.4.tar 16# -- unpacks the dist and you get signature + dist 17# tar zxf krb5-1.2.4.tar.gz 18# cd krb5-1.2.4 19# 20# --- the README 21# more README -- for latest dope, if any 22# 23# --- the documents 24# gv doc/install-guide.ps -- the real stuff 25# gv doc/admin-guide.ps 26# gv doc/user-guide.ps 27# 28# ---- but since you have not read them, you will need to know: 29# a) your realm (I use 'LPRNG.COM') 30# b) the secret password for the key distribution server 31# - write this down... :-) 32# c) a ready source of asprin or ibuprofin 33# 34# ----- 35# USE GMAKE repeat GNU Make!!! 36# 37# cd src 38# ./configure 39# gmake (and a LOOONG pause. Coffee time) 40# gmake check (and an even longer pause) 41# 42# su 43# gmake install 44# 45# ---------- 46# 47# --- here is the default /etc/krb5.conf file: 48# 49# [libdefaults] 50# ticket_lifetime = 600 51# default_realm = ATHENA.MIT.EDU 52# default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc 53# default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc 54# 55# [realms] 56# ATHENA.MIT.EDU = { 57# kdc = kerberos.mit.edu:88 58# kdc = kerberos-1.mit.edu:88 59# kdc = kerberos-2.mit.edu:88 60# admin_server = kerberos.mit.edu:749 61# default_domain = mit.edu 62# } 63# 64# [domain_realm] 65# .mit.edu = ATHENA.MIT.EDU 66# mit.edu = ATHENA.MIT.EDU 67# 68# [logging] 69# kdc = FILE:/var/log/krb5kdc.log 70# admin_server = FILE:/var/log/kadmin.log 71# default = FILE:/var/log/krb5lib.log 72# ---- after editting: 73# 74# [libdefaults] 75# ticket_lifetime = 600 76# default_realm = ASTART.COM 77# default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc 78# default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc 79# 80# [realms] 81# ASTART.COM = { 82# kdc = h110.private:88 83# admin_server = h110.private:749 84# default_domain = private 85# } 86# 87# [domain_realm] 88# .private = ASTART.COM 89# private = ASTART.COM 90# .astart.com = ASTART.COM 91# astart.com = ASTART.COM 92# 93# [logging] 94# kdc = FILE:/var/log/krb5kdc.log 95# admin_server = FILE:/var/log/kadmin.log 96# default = FILE:/var/log/krb5lib.log 97# 98# --------------- default /usr/local/var/krb5kdc/kdc.conf 99# 100# [kdcdefaults] 101# kdc_ports = 88,750 102# 103# [realms] 104# ATHENA.MIT.EDU = { 105# database_name = /usr/local/var/krb5kdc/principal 106# admin_keytab = /usr/local/var/krb5kdc/kadm5.keytab 107# acl_file = /usr/local/var/krb5kdc/kadm5.acl 108# dict_file = /usr/local/var/krb5kdc/kadm5.dict 109# key_stash_file = /usr/local/var/krb5kdc/.k5.ATHENA.MIT.EDU 110# kadmind_port = 749 111# max_life = 10h 0m 0s 112# max_renewable_life = 7d 0h 0m 0s 113# master_key_type = des3-hmac-sha1 114# supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal 115# } 116# 117# To add Kerberos V4 support, add `des-cbc-crc:v4' to the 118# `supported_enctypes' line. 119# 120# -------------- after editting it: 121# 122# [kdcdefaults] 123# kdc_ports = 88,750 124# 125# [realms] 126# ASTART.COM = { 127# database_name = /usr/local/var/krb5kdc/principal 128# admin_keytab = /usr/local/var/krb5kdc/kadm5.keytab 129# acl_file = /usr/local/var/krb5kdc/kadm5.acl 130# dict_file = /usr/local/var/krb5kdc/kadm5.dict 131# key_stash_file = /usr/local/var/krb5kdc/.k5.ASTART.COM 132# kadmind_port = 749 133# max_life = 10h 0m 0s 134# max_renewable_life = 7d 0h 0m 0s 135# master_key_type = des3-hmac-sha1 136# supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4 137# } 138# 139# -------- now create database: 140# 141echo "create database" 142kdb5_util create -r ASTART.COM -s 143# (you will need the password) 144# 145# ------- create ACL 146# 147echo "creating acl" 148echo "*/admin@ASTART.COM *" >/usr/local/var/krb5kdc/kadm5.acl 149# -- now run kadmin: 150# 151echo " 152Add principle commands. Change papowell and host h110.private 153to the apprpriate ones for your site: 154 155addprinc admin/admin@ASTART.COM 156addprinc papowell/admin@ASTART.COM 157addprinc papowell 158 159--- for the host 160addprinc -randkey host/h110.private 161 162--- for kadmin to use 163ktadd host/h110.private 164 165 --- this is for the printer 166addprinc -randkey lpd/h110.private 167ktadd -k /etc/lpd.h110.private lpd/h110.private 168ktadd -k /usr/local/var/krb5kdc/kadm5.keytab kadmin/admin kadmin/changepw 169quit 170" 171kadmin.local 172 173cp /etc/lpd.h110.private /etc/lpd.krb 174 175# change the perms on /etc/lpr.krb5 176# cp /etc/lpr.krb5 /etc/lpr.krb5.public 177# chown papowell /etc/lpr.krb5.public 178 179############ 180echo "start servers" 181krb5kdc 182cat /var/log/krb5kdc.log 183kadmind 184cat /var/log/kadmind.log 185 186############ 187# 188# Here is the printcap 189# 190# lp 191# :auth=kerberos5 192# :kerberos_id=lpd/h110.private 193# :kerberos_keytab=/etc/lpd.krb 194# :lp=/dev/null 195# :sd=/var/spool/lpd 196# 197# set this up, and then do: 198# checkpc -f 199# kinit (you may have to specify a principle) 200# lpq 201# Enjoy 202# 203