FANDOM


ImplementationEdit

OpenBSD doesn't use MIT Kerberos. It uses Heimdal instead.

SetupEdit

Heimdal comes with OpenBSD. Just edit /etc/krb5.conf.

Sample krb5.conf (for a realm called OPENBSD.RULES)Edit

    [libdefaults]
            default_realm = OPENBSD.RULES
    [realms]
            OPENBSD.RULES = {
                    kdc = my.master my.slave
            }
    [domain_realm]
            .my.domain = OPENBSD.RULES

Setting up "Realms"Edit

Do these commands: (replace OPENBSD.RULES and MonkeyJones (note: empty fields are where you press Enter))

# mkdir /var/heimdal
# kstash –random-key
# kadmin -l
kadmin> init OPENBSD.RULES
Realm max ticket life [unlimited]:
Realm max renewable ticket life [unlimited]:
kadmin> add me
Max ticket life [unlimited]:
Max renewable life [unlimited]:
Attributes []:
Password: MonkeyJones
Verifying password - Password: MonkeyJones
kadmin> exit
# kdc &

Masters and SlavesEdit

You think about slavery, right? But in Kerberos, master means "main Kerberos server" and slave means "last-resort Kerberos server".

Setting up SlavesEdit

Install OpenBSD on a another computer (aka slave). Now do these commands on the slave:

# ktutil get -p foo/admin hprop/`hostname`
# mkdir /var/heimdal
# hpropd &

Edit /etc/rc.conf and change:

krb5_slave_kdc=NO

to

krb5_slave_kdc=YES

and then modify /etc/inetd.conf to have in it:

slave stream tcp nowait root /usr/libexec/hpropd hpropd
slave stream tcp6 nowait root /usr/libexec/hpropd hpropd

Setting up MastersEdit

Edit /etc/rc.conf and change:

krb5_master_kdc=NO

to

krb5_master_kdc=YES

Sending Master Data to SlavesEdit

On the master, run:

hprop

assuming you have Kerberos slaves working.

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.