FANDOM


ImplementationEdit

OpenBSD doesn't use MIT Kerberos. It uses Heimdal instead.

SetupEdit

Heimdal comes with OpenBSD. Just edit /etc/krb5.conf. (This file may be in /etc/heimdal/krb5.conf).

Sample krb5.conf (for a realm called OPENBSD.RULES)Edit

    [libdefaults]
            default_realm = OPENBSD.RULES
    [realms]
            OPENBSD.RULES = {
                    kdc = my.master my.slave
            }
    [domain_realm]
            .my.domain = OPENBSD.RULES

Setting up "Realms"Edit

Do these commands: (replace OPENBSD.RULES and MonkeyJones (note: empty fields are where you press Enter))

# mkdir /var/heimdal
# kstash –-random-key
# kadmin -l
 kadmin> init OPENBSD.RULES
 Realm max ticket life [unlimited]:
 Realm max renewable ticket life [unlimited]:
 kadmin> add me
 Max ticket life [unlimited]:
 Max renewable life [unlimited]:
 Attributes []:
 Password: MonkeyJones
 Verifying password - Password: MonkeyJones
 kadmin> exit
 # kdc &

Masters and SlavesEdit

You think about slavery, right? But in Kerberos, master means "main Kerberos server" and slave means "last-resort Kerberos server".

Setting up SlavesEdit

Install OpenBSD on a another computer (aka slave). Now do these commands on the slave:

# ktutil get -p foo/admin hprop/`hostname`
# mkdir /var/heimdal
# hpropd &

Edit /etc/rc.conf and change:

krb5_slave_kdc=NO

to

krb5_slave_kdc=YES

and then modify /etc/inetd.conf to have in it:

slave stream tcp nowait root /usr/libexec/hpropd hpropd
slave stream tcp6 nowait root /usr/libexec/hpropd hpropd

Setting up MastersEdit

Edit /etc/rc.conf and change:

krb5_master_kdc=NO

to

krb5_master_kdc=YES

Sending Master Data to SlavesEdit

On the master, run:

hprop

assuming you have Kerberos slaves working.