Implementation[]
OpenBSD doesn't use MIT Kerberos. It uses Heimdal instead.
Setup[]
Heimdal comes with OpenBSD. Just edit /etc/krb5.conf. (This file may be in /etc/heimdal/krb5.conf).
Sample krb5.conf (for a realm called OPENBSD.RULES)[]
[libdefaults]
default_realm = OPENBSD.RULES
[realms]
OPENBSD.RULES = {
kdc = my.master my.slave
}
[domain_realm]
.my.domain = OPENBSD.RULES
Setting up "Realms"[]
Do these commands: (replace OPENBSD.RULES and MonkeyJones (note: empty fields are where you press Enter))
# mkdir /var/heimdal # kstash –-random-key # kadmin -l kadmin> init OPENBSD.RULES Realm max ticket life [unlimited]: Realm max renewable ticket life [unlimited]: kadmin> add me Max ticket life [unlimited]: Max renewable life [unlimited]: Attributes []: Password: MonkeyJones Verifying password - Password: MonkeyJones kadmin> exit # kdc &
Masters and Slaves[]
You think about slavery, right? But in Kerberos, master means "main Kerberos server" and slave means "last-resort Kerberos server".
Setting up Slaves[]
Install OpenBSD on a another computer (aka slave). Now do these commands on the slave:
# ktutil get -p foo/admin hprop/`hostname` # mkdir /var/heimdal # hpropd &
Edit /etc/rc.conf and change:
krb5_slave_kdc=NO
to
krb5_slave_kdc=YES
and then modify /etc/inetd.conf to have in it:
slave stream tcp nowait root /usr/libexec/hpropd hpropd slave stream tcp6 nowait root /usr/libexec/hpropd hpropd
Setting up Masters[]
Edit /etc/rc.conf and change:
krb5_master_kdc=NO
to
krb5_master_kdc=YES
Sending Master Data to Slaves[]
On the master, run:
hprop
assuming you have Kerberos slaves working.