os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

With kerberosIV, note that the srvtab needs to be in /etc.

Browse source 
Using utilities like k5init is no longer required, that naming convention was
dropped in 5.X.
Remove some 4.X-5.X warning cruft.

Effectively closes PR:	34401 and 97409 (literally built world to investigate)
This commit is contained in:
Tom Rhodes 2006-11-04 05:40:26 +00:00
parent 2973498e90
commit d94196ea46
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=28999
1 changed files with 15 additions and 25 deletions
Download patch file Download diff file Expand all files Collapse all files

40
en_US.ISO8859-1/books/handbook/security/chapter.sgml
View file

@ -1773,45 +1773,45 @@ Edit O.K.
<command>ext_srvtab</command> command. This will create a file
which must be copied or moved <emphasis>by secure
means</emphasis> to each Kerberos client's
<filename>/etc/kerberosIV</filename> directory. This file must
<filename>/etc</filename> directory. This file must
be present on each server and client, and is crucial to the
operation of Kerberos.</para>
<screen>&prompt.root; <userinput>ext_srvtab grunt</userinput>
<prompt>Enter Kerberos master key:</prompt>
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Generating 'grunt-new-srvtab'....</screen>
<para>Now, this command only generates a temporary file which must be
renamed to <filename>srvtab</filename> so that all the servers can pick
it up. Use the &man.mv.1; command to move it into place on
the original system:</para>
<screen>&prompt.root; <userinput>mv grunt-new-srvtab srvtab</userinput></screen>
<para>If the file is for a client system, and the network is not deemed
safe, then copy the
<filename><replaceable>client</replaceable>-new-srvtab</filename> to
removable media and transport it by secure physical means. Be sure to
rename it to <filename>srvtab</filename> in the client's
<filename>/etc/kerberosIV</filename> directory, and make sure it is
<filename>/etc</filename> directory, and make sure it is
mode 600:</para>
<screen>&prompt.root; <userinput>mv grumble-new-srvtab srvtab</userinput>
&prompt.root; <userinput>chmod 600 srvtab</userinput></screen>
</sect2>
<sect2>
<title>Populating the Database</title>
<para>We now have to add some user entries into the database. First
let us create an entry for the user <username>jane</username>. Use the
<command>kdb_edit</command> command to do this:</para>
<screen>&prompt.root; <userinput>kdb_edit</userinput>
Opening database...
@ -1888,11 +1888,11 @@ Principal: jane@EXAMPLE.COM
Issued Expires Principal
Apr 30 11:23:22 Apr 30 19:23:22 krbtgt.EXAMPLE.COM@EXAMPLE.COM</screen>
<para>Now try changing the password using &man.passwd.1; to
check if the <application>kpasswd</application> daemon can get
authorization to the Kerberos database:</para>
<screen>&prompt.user; <userinput>passwd</userinput>
realm EXAMPLE.COM
<prompt>Old password for jane:</prompt>
@ -2286,10 +2286,10 @@ Verifying password - Password: <userinput>xxxxxxxx</userinput></screen>
ticket for the principal (user) that you just created from the
command-line of the <acronym>KDC</acronym> itself:</para>
<screen>&prompt.user; <userinput>k5init <replaceable>tillman</replaceable></userinput>
<screen>&prompt.user; <userinput>kinit <replaceable>tillman</replaceable></userinput>
tillman@EXAMPLE.ORG's Password:
&prompt.user; <userinput>k5list</userinput>
&prompt.user; <userinput>klist</userinput>
Credentials cache: FILE:<filename>/tmp/krb5cc_500</filename>
Principal: tillman@EXAMPLE.ORG
@ -2439,16 +2439,6 @@ kadmin><userinput> exit</userinput></screen>
option, which encrypts the entire data stream (similar to
<command>ssh</command>).</para>
<para>The core <application>Kerberos</application> client applications
(traditionally named <command>kinit</command>,
<command>klist</command>, <command>kdestroy</command>, and
<command>kpasswd</command>) are installed in
the base &os; install. Note that &os; versions prior to 5.0
renamed them to <command>k5init</command>,
<command>k5list</command>, <command>k5destroy</command>,
<command>k5passwd</command>, and <command>k5stash</command>
(though it is typically only used once).</para>
<para>Various non-core <application>Kerberos</application> client
applications are also installed by default. This is where the
<quote>minimal</quote> nature of the base Heimdal installation is